From fc6fb41cd64fd810bcc69fe9776d2f500778f38f Mon Sep 17 00:00:00 2001 From: Li RongQing Date: Sat, 18 Oct 2014 17:27:42 +0800 Subject: [PATCH] ipv6: fix a potential use after free in ip6_offload.c pskb_may_pull() maybe change skb->data and make opth pointer oboslete, so set the opth again Signed-off-by: Li RongQing Acked-by: Eric Dumazet Signed-off-by: David S. Miller --- net/ipv6/ip6_offload.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c index 9034f76ae013..91014d32488d 100644 --- a/net/ipv6/ip6_offload.c +++ b/net/ipv6/ip6_offload.c @@ -46,6 +46,7 @@ static int ipv6_gso_pull_exthdrs(struct sk_buff *skb, int proto) if (unlikely(!pskb_may_pull(skb, len))) break; + opth = (void *)skb->data; proto = opth->nexthdr; __skb_pull(skb, len); } -- 2.39.5