possible double call of kfree_skb in net/llc/llc_sap.c

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Dmitry Petukhov

Subject: possible double call of kfree_skb in net/llc/llc_sap.c

Date: Monday, May 26, 2008 - 11:00 pm

In the file  net/llc/llc_sap.c, funcion llc_sap_state_process,
the call to kfree_skb in the line 227 can proceed even if skb was already freed
on line 218, or  224, or queued to the user within sock_queue_rcv_skb function.
Obviously return statement is missing after line 225.

This problem was found by Alex Shevkov.

the code in question:

204 static void llc_sap_state_process(struct llc_sap *sap, struct sk_buff *skb)
205 {
206         struct llc_sap_state_ev *ev = llc_sap_ev(skb);
207
....
213         skb_get(skb);
214         ev->ind_cfm_flag = 0;
215         llc_sap_next_state(sap, skb);
216         if (ev->ind_cfm_flag == LLC_IND) {
217                 if (skb->sk->sk_state == TCP_LISTEN)
218                         kfree_skb(skb);
219                 else {
220                         llc_save_primitive(skb->sk, skb, ev->prim);
221
222                         /* queue skb to the user. */
223                         if (sock_queue_rcv_skb(skb->sk, skb))
224                                 kfree_skb(skb);
225                 }
226         }
227         kfree_skb(skb);
228 }
--
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

possible double call of kfree_skb in net/llc/llc_sap.c, Dmitry Petukhov, (Mon May 26, 11:00 pm)

Re: possible double call of kfree_skb in net/llc/llc_sap.c, Patrick McHardy, (Mon May 26, 11:16 pm)

Re: possible double call of kfree_skb in net/llc/llc_sap.c, Pekka Enberg, (Mon May 26, 11:20 pm)


linux-kernel:
Paul Turner	[tg_shares_up rewrite v4 11/11] sched: update tg->shares after cpu.shares write
Matthew Garrett	Re: [PATCH] Enable speedstep for sonoma processors.
Mauro Carvalho Chehab	Re: [PATCH 1/2] media: Add timberdale video-in driver
Peter Zijlstra	[PATCH 23/30] netvm: skb processing
Greg Kroah-Hartman	[PATCH 21/28] cgroupfs: create /sys/fs/cgroup to mount cgroupfs on
git:
Jan Hudec	Re: GIT push to sftp (feature request)
Steffen Prohaska	[PATCH 0/4] core.ignorecase
Johannes Schindelin	Re: Git checkout preserve timestamp?
Linus Torvalds	[PATCH 1/7] Make unpack_trees_options bit flags actual bitfields
Johan Herland	Re: What's cooking in git.git (Oct 2010, #01; Wed, 13)
linux-netdev:
David Miller	Re: [PATCH 1/3] f_phonet: dev_kfree_skb instead of dev_kfree_skb_any in TX callback
Richard Cochran	Re: [PATCH v3 3/3] ptp: Added a clock that uses the eTSEC found on the MPC85xx.
Jan Engelhardt	Re: [PATCH] Fix netfilter xt_time's time_mt()'s use of do_div()
Herbert Xu	Re: [RFC PATCH 00/17] virtual-bus
Jeff Kirsher	Re: [net-next-2.6 PATCH] e1000e: don't inadvertently re-set INTX_DISABLE
git-commits-head:
Linux Kernel Mailing List	ALSA: hda - Enable beep on Realtek codecs with PCI SSID override
Linux Kernel Mailing List	Use path_put() in a few places instead of {mnt,d}put()
Linux Kernel Mailing List	mv643xx_eth: use sw csum for big packets
Linux Kernel Mailing List	arm: fix HAVE_CLK merge goof
Linux Kernel Mailing List	arm: convert pcm037 platform to use smsc911x
freebsd-current:
David Wolfskill	"interrupt storm..."; seems associated with an0 NIC
Andriy Gapon	Re: letting glabel recognise a media change
Garrett Cooper	Re: Only display ACPI bootmenu key if ACPI is present
Pyun YongHyeon	CFT: msk(4) Rx checksum offloading support
FreeBSD Tinderbox	[head tinderbox] failure on sparc64/sparc64