From: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Date: Fri, 13 Oct 2006 23:13:36 +0000 (+0200)
Subject: [ATM] CLIP: Do not refer freed skbuff in clip_mkip() (CVE-2006-4997)
X-Git-Tag: v2.6.16.30-rc1~10
X-Git-Url: https://git.karo-electronics.de/?a=commitdiff_plain;h=cffa5ffe7214563e25b1cd72b229b4e6a709eb71;p=karo-tx-linux.git

[ATM] CLIP: Do not refer freed skbuff in clip_mkip() (CVE-2006-4997)

In clip_mkip(), skb->dev is dereferenced after clip_push(),
which frees up skb.

Advisory: AD_LAB-06009 (<adlab@venustech.com.cn>).

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
---

diff --git a/net/atm/clip.c b/net/atm/clip.c
index 1842a4ef9cb8..b10474d6ef52 100644
--- a/net/atm/clip.c
+++ b/net/atm/clip.c
@@ -507,9 +507,11 @@ static int clip_mkip(struct atm_vcc *vcc,int timeout)
 		else {
 			unsigned int len = skb->len;
 
+			skb_get(skb);
 			clip_push(vcc,skb);
 			PRIV(skb->dev)->stats.rx_packets--;
 			PRIV(skb->dev)->stats.rx_bytes -= len;
+			kfree_skb(skb);
 		}
 	return 0;
 }