| From 587edb094bf2c6d420f085d3761778b65675d40d Mon Sep 17 00:00:00 2001 |
| From: Pan Bian <bianpan2016@163.com> |
| Date: Tue, 5 Nov 2019 22:49:11 +0800 |
| Subject: [PATCH] staging: rtl8192e: fix potential use after free |
| |
| commit b7aa39a2ed0112d07fc277ebd24a08a7b2368ab9 upstream. |
| |
| The variable skb is released via kfree_skb() when the return value of |
| _rtl92e_tx is not zero. However, after that, skb is accessed again to |
| read its length, which may result in a use after free bug. This patch |
| fixes the bug by moving the release operation to where skb is never |
| used later. |
| |
| Signed-off-by: Pan Bian <bianpan2016@163.com> |
| Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com> |
| Cc: stable <stable@vger.kernel.org> |
| Link: https://lore.kernel.org/r/1572965351-6745-1-git-send-email-bianpan2016@163.com |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/drivers/staging/rtl8192e/rtl8192e/rtl_core.c b/drivers/staging/rtl8192e/rtl8192e/rtl_core.c |
| index f932cb15e4e5..c702ee9691b1 100644 |
| --- a/drivers/staging/rtl8192e/rtl8192e/rtl_core.c |
| +++ b/drivers/staging/rtl8192e/rtl8192e/rtl_core.c |
| @@ -1616,14 +1616,15 @@ static void _rtl92e_hard_data_xmit(struct sk_buff *skb, struct net_device *dev, |
| memcpy((unsigned char *)(skb->cb), &dev, sizeof(dev)); |
| skb_push(skb, priv->rtllib->tx_headroom); |
| ret = _rtl92e_tx(dev, skb); |
| - if (ret != 0) |
| - kfree_skb(skb); |
| |
| if (queue_index != MGNT_QUEUE) { |
| priv->rtllib->stats.tx_bytes += (skb->len - |
| priv->rtllib->tx_headroom); |
| priv->rtllib->stats.tx_packets++; |
| } |
| + |
| + if (ret != 0) |
| + kfree_skb(skb); |
| } |
| |
| static int _rtl92e_hard_start_xmit(struct sk_buff *skb, struct net_device *dev) |
| -- |
| 2.7.4 |
| |