[ATM] CLIP: Do not refer freed skbuff in clip_mkip() (CVE-2006-4997)

In clip_mkip(), skb->dev is dereferenced after clip_push(), which frees up skb. Advisory: AD_LAB-06009 (<adlab@venustech.com.cn>). Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
author: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> 2006-10-14 01:13:36 +0200
committer: Adrian Bunk <bunk@stusta.de> 2006-10-14 01:13:36 +0200
commit: cffa5ffe7214563e25b1cd72b229b4e6a709eb71 (patch)
tree: 05dc3963c154698ead9364445d7ba892be8f1082 /net
parent: 601c7cf7254ea9544d74381b8ee022b7fb207535 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/net/atm/clip.c b/net/atm/clip.c
index 1842a4ef9cb..b10474d6ef5 100644
--- a/net/atm/clip.c
+++ b/net/atm/clip.c
@@ -507,9 +507,11 @@ static int clip_mkip(struct atm_vcc *vcc,int timeout)
 		else {
 			unsigned int len = skb->len;
 
+			skb_get(skb);
 			clip_push(vcc,skb);
 			PRIV(skb->dev)->stats.rx_packets--;
 			PRIV(skb->dev)->stats.rx_bytes -= len;
+			kfree_skb(skb);
 		}
 	return 0;
 }
author	YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>	2006-10-14 01:13:36 +0200
committer	Adrian Bunk <bunk@stusta.de>	2006-10-14 01:13:36 +0200
commit	cffa5ffe7214563e25b1cd72b229b4e6a709eb71 (patch)
tree	05dc3963c154698ead9364445d7ba892be8f1082 /net
parent	601c7cf7254ea9544d74381b8ee022b7fb207535 (diff)