diff options
author | Jon Maloy <jon.maloy@ericsson.com> | 2017-11-27 20:13:39 +0100 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2017-11-27 14:44:45 -0500 |
commit | 2e724dca7749223204bbae21745c0e3fc932700a (patch) | |
tree | 7580cc4e02d85681a4cc4e70669614d2e9d857e9 /net | |
parent | 5b5971df3bc2775107ddad164018a8a8db633b81 (diff) | |
download | lwn-2e724dca7749223204bbae21745c0e3fc932700a.tar.gz lwn-2e724dca7749223204bbae21745c0e3fc932700a.zip |
tipc: eliminate access after delete in group_filter_msg()
KASAN revealed another access after delete in group.c. This time
it found that we read the header of a received message after the
buffer has been released.
Signed-off-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r-- | net/tipc/group.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/tipc/group.c b/net/tipc/group.c index 12777cac638a..95fec2c057d6 100644 --- a/net/tipc/group.c +++ b/net/tipc/group.c @@ -497,6 +497,7 @@ void tipc_group_filter_msg(struct tipc_group *grp, struct sk_buff_head *inputq, while ((skb = skb_peek(defq))) { hdr = buf_msg(skb); mtyp = msg_type(hdr); + blks = msg_blocks(hdr); deliver = true; ack = false; update = false; @@ -546,7 +547,6 @@ void tipc_group_filter_msg(struct tipc_group *grp, struct sk_buff_head *inputq, if (!update) continue; - blks = msg_blocks(hdr); tipc_group_update_rcv_win(grp, blks, node, port, xmitq); } return; |