ieee802154: properly unshare skbs in ieee802154 *_rcv functions
ieee802154 sockets do not properly unshare received skbs, which leads to panics (at least) when they are used in conjunction with 6lowpan, so run skb_share_check on received skbs. 6lowpan also contains a use-after-free, which is trivially fixed by replacing the inlined skb_share_check with the explicit call. Signed-off-by: Phoebe Buckheister <phoebe.buckheister@itwm.fraunhofer.de> Tested-by: Alexander Aring <alex.aring@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Phoebe Buckheister
committed by
David S. Miller
David S. Miller
parent
3c5dfeff93
commit
8cfad496c4
@@ -213,6 +213,10 @@ out:
|
||||
|
||||
static int raw_rcv_skb(struct sock *sk, struct sk_buff *skb)
|
||||
{
|
||||
skb = skb_share_check(skb, GFP_ATOMIC);
|
||||
if (!skb)
|
||||
return NET_RX_DROP;
|
||||
|
||||
if (sock_queue_rcv_skb(sk, skb) < 0) {
|
||||
kfree_skb(skb);
|
||||
return NET_RX_DROP;
|
||||
|
||||
Reference in New Issue
Block a user