From cffa5ffe7214563e25b1cd72b229b4e6a709eb71 Mon Sep 17 00:00:00 2001
From: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Date: Sat, 14 Oct 2006 01:13:36 +0200
Subject: [ATM] CLIP: Do not refer freed skbuff in clip_mkip() (CVE-2006-4997)

In clip_mkip(), skb->dev is dereferenced after clip_push(),
which frees up skb.

Advisory: AD_LAB-06009 (<adlab@venustech.com.cn>).

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
---
 net/atm/clip.c | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'net')

diff --git a/net/atm/clip.c b/net/atm/clip.c
index 1842a4ef9cb8..b10474d6ef52 100644
--- a/net/atm/clip.c
+++ b/net/atm/clip.c
@@ -507,9 +507,11 @@ static int clip_mkip(struct atm_vcc *vcc,int timeout)
 		else {
 			unsigned int len = skb->len;
 
+			skb_get(skb);
 			clip_push(vcc,skb);
 			PRIV(skb->dev)->stats.rx_packets--;
 			PRIV(skb->dev)->stats.rx_bytes -= len;
+			kfree_skb(skb);
 		}
 	return 0;
 }
-- 
cgit v1.2.3