NFC: Fix incorrect llcp pointer dereference

nfc_llcp_ns(s) dereferences the s pointer which is freed a line above. In a result, it can produce a crash or you will read incorrect value. Signed-off-by: N Waldemar Rymarkiewicz <waldemar.rymarkiewicz@tieto.com> Signed-off-by: N Samuel Ortiz <sameo@linux.intel.com>

NFC: Fix incorrect llcp pointer dereference
nfc_llcp_ns(s) dereferences the s pointer which is freed a line above. In a result, it can produce a crash or you will read incorrect value. Signed-off-by: N Waldemar Rymarkiewicz <waldemar.rymarkiewicz@tieto.com> Signed-off-by: N Samuel Ortiz <sameo@linux.intel.com>
28981491 · Waldemar Rymarkiewicz · Samuel Ortiz · 6bdd253f · 28981491
隐藏空白更改
内联并排

Showing with 4 addition and 1 deletion

net/nfc/llcp/llcp.c net/nfc/llcp/llcp.c +4 -1

未找到文件。
--- a/net/nfc/llcp/llcp.c
+++ b/net/nfc/llcp/llcp.c
@@ -903,15 +903,18 @@ static void nfc_llcp_recv_hdlc(struct nfc_llcp_local *local,
 	/* Remove skbs from the pending queue */
 	if (llcp_sock->send_ack_n != nr) {
 		struct sk_buff *s, *tmp;
+		u8 n;

 		llcp_sock->send_ack_n = nr;

 		/* Remove and free all skbs until ns == nr */
 		skb_queue_walk_safe(&llcp_sock->tx_pending_queue, s, tmp) {
+			n = nfc_llcp_ns(s);
+
 			skb_unlink(s, &llcp_sock->tx_pending_queue);
 			kfree_skb(s);

-			if (nfc_llcp_ns(s) == nr)
+			if (n == nr)
 				break;
 		}