| Message ID | 57af1f28-7f57-4a96-bcd3-b7a0f2340845@moroto.mountain (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 876f8ab52363f649bcc74072157dfd7adfbabc0d |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | [net] hsr: Prevent use after free in prp_create_tagged_frame() | expand |
On Fri, 2023-10-27 at 15:19 +0300, Dan Carpenter wrote: > The prp_fill_rct() function can fail. In that situation, it frees the > skb and returns NULL. Meanwhile on the success path, it returns the > original skb. So it's straight forward to fix bug by using the returned > value. > > Fixes: 451d8123f897 ("net: prp: add packet handling support") > Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> > --- > net/hsr/hsr_forward.c | 4 +--- > 1 file changed, 1 insertion(+), 3 deletions(-) > > diff --git a/net/hsr/hsr_forward.c b/net/hsr/hsr_forward.c > index b71dab630a87..80cdc6f6b34c 100644 > --- a/net/hsr/hsr_forward.c > +++ b/net/hsr/hsr_forward.c > @@ -342,9 +342,7 @@ struct sk_buff *prp_create_tagged_frame(struct hsr_frame_info *frame, > skb = skb_copy_expand(frame->skb_std, 0, > skb_tailroom(frame->skb_std) + HSR_HLEN, > GFP_ATOMIC); > - prp_fill_rct(skb, frame, port); > - > - return skb; > + return prp_fill_rct(skb, frame, port); > } > > static void hsr_deliver_master(struct sk_buff *skb, struct net_device *dev, Acked-by: Paolo Abeni <pabeni@redhat.com> (note both trees are currently locked now due to the pending PR; this tag is intended to speed-up the merge after the PR itself)
Hello: This patch was applied to netdev/net.git (main) by Jakub Kicinski <kuba@kernel.org>: On Fri, 27 Oct 2023 15:19:01 +0300 you wrote: > The prp_fill_rct() function can fail. In that situation, it frees the > skb and returns NULL. Meanwhile on the success path, it returns the > original skb. So it's straight forward to fix bug by using the returned > value. > > Fixes: 451d8123f897 ("net: prp: add packet handling support") > Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> > > [...] Here is the summary with links: - [net] hsr: Prevent use after free in prp_create_tagged_frame() https://git.kernel.org/netdev/net/c/876f8ab52363 You are awesome, thank you!
diff --git a/net/hsr/hsr_forward.c b/net/hsr/hsr_forward.c index b71dab630a87..80cdc6f6b34c 100644 --- a/net/hsr/hsr_forward.c +++ b/net/hsr/hsr_forward.c @@ -342,9 +342,7 @@ struct sk_buff *prp_create_tagged_frame(struct hsr_frame_info *frame, skb = skb_copy_expand(frame->skb_std, 0, skb_tailroom(frame->skb_std) + HSR_HLEN, GFP_ATOMIC); - prp_fill_rct(skb, frame, port); - - return skb; + return prp_fill_rct(skb, frame, port); } static void hsr_deliver_master(struct sk_buff *skb, struct net_device *dev,
The prp_fill_rct() function can fail. In that situation, it frees the skb and returns NULL. Meanwhile on the success path, it returns the original skb. So it's straight forward to fix bug by using the returned value. Fixes: 451d8123f897 ("net: prp: add packet handling support") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> --- net/hsr/hsr_forward.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-)