hollalinux
/
linux-sg2042
mirror of https://github.com/sophgo/linux-riscv.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

zd1211rw: fix potential use-after-free bug 

zd_mac_tx_to_dev() could potentially free the skb, or hand it off
to mac80211 which might free it. Hence, this code needs to get the
usb pointer out of skb->cb before handing it off to that function.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
This commit is contained in:
Johannes Berg 2008-05-08 01:43:59 +02:00 committed by John W. Linville
parent 6d6936e2ea
commit dbabad0c9c
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
drivers/net/wireless/zd1211rw/zd_usb.c
View File

@ -889,9 +889,13 @@ static void tx_urb_complete(struct urb *urb)
} }
free_urb: free_urb:
skb = (struct sk_buff *)urb->context; skb = (struct sk_buff *)urb->context;
zd_mac_tx_to_dev(skb, urb->status); /*
* grab 'usb' pointer before handing off the skb (since
* it might be freed by zd_mac_tx_to_dev or mac80211)
*/
cb = (struct zd_tx_skb_control_block *)skb->cb; cb = (struct zd_tx_skb_control_block *)skb->cb;
usb = &zd_hw_mac(cb->hw)->chip.usb; usb = &zd_hw_mac(cb->hw)->chip.usb;
zd_mac_tx_to_dev(skb, urb->status);
free_tx_urb(usb, urb); free_tx_urb(usb, urb);
tx_dec_submitted_urbs(usb); tx_dec_submitted_urbs(usb);
return; return;