diff options
| author | Ben Pfaff <blp@nicira.com> | 2011-10-21 15:34:25 -0700 |
|---|---|---|
| committer | Ben Pfaff <blp@nicira.com> | 2011-10-21 15:34:25 -0700 |
| commit | b59da960549140e495e0fdcff086a62ebcdf5287 (patch) | |
| tree | 5d1c7c67fb2dd5e6b679b9694de5917721cd9312 | |
| parent | 7257b535ab8e5fafd811c5f6788205eefdd44948 (diff) | |
vport-capwap: Fix use-after-free on error path.
I originally meant just to fix the use of kfree_skb() instead of
consume_skb() on the success path, but then I realized that the failure
path returned an skb that it had just freed.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>
| -rw-r--r-- | datapath/vport-capwap.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/datapath/vport-capwap.c b/datapath/vport-capwap.c index 3fb4ffb3..8d78b6d1 100644 --- a/datapath/vport-capwap.c +++ b/datapath/vport-capwap.c @@ -507,13 +507,13 @@ static struct sk_buff *fragment(struct sk_buff *skb, const struct vport *vport, remaining -= frag_size; } - goto out; + consume_skb(skb); + return result; error: tnl_free_linked_skbs(result); -out: kfree_skb(skb); - return result; + return NULL; } /* All of the following functions relate to fragmentation reassembly. */ |