diff options
author | Phoebe Buckheister <phoebe.buckheister@itwm.fraunhofer.de> | 2014-03-17 18:30:19 +0100 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2014-03-18 15:59:25 -0400 |
commit | 8cfad496c4257441710735ccef622f3829870164 (patch) | |
tree | e5574aa1fac1cac858f94fffb571516bc35809dc /net/ieee802154/raw.c | |
parent | 3c5dfeff932224d3c97cee9fd0d1e2876d700ad3 (diff) | |
download | linux-stable-8cfad496c4257441710735ccef622f3829870164.tar.gz linux-stable-8cfad496c4257441710735ccef622f3829870164.tar.bz2 linux-stable-8cfad496c4257441710735ccef622f3829870164.zip |
ieee802154: properly unshare skbs in ieee802154 *_rcv functions
ieee802154 sockets do not properly unshare received skbs, which leads to
panics (at least) when they are used in conjunction with 6lowpan, so
run skb_share_check on received skbs.
6lowpan also contains a use-after-free, which is trivially fixed by
replacing the inlined skb_share_check with the explicit call.
Signed-off-by: Phoebe Buckheister <phoebe.buckheister@itwm.fraunhofer.de>
Tested-by: Alexander Aring <alex.aring@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ieee802154/raw.c')
-rw-r--r-- | net/ieee802154/raw.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/net/ieee802154/raw.c b/net/ieee802154/raw.c index e5258cf6773b..74d54fae33d7 100644 --- a/net/ieee802154/raw.c +++ b/net/ieee802154/raw.c @@ -213,6 +213,10 @@ out: static int raw_rcv_skb(struct sock *sk, struct sk_buff *skb) { + skb = skb_share_check(skb, GFP_ATOMIC); + if (!skb) + return NET_RX_DROP; + if (sock_queue_rcv_skb(sk, skb) < 0) { kfree_skb(skb); return NET_RX_DROP; |