提交 dbabad0c 编写于 作者: J Johannes Berg 提交者: John W. Linville

zd1211rw: fix potential use-after-free bug

zd_mac_tx_to_dev() could potentially free the skb, or hand it off
to mac80211 which might free it. Hence, this code needs to get the
usb pointer out of skb->cb before handing it off to that function.
Signed-off-by: NJohannes Berg <johannes@sipsolutions.net>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
上级 6d6936e2
...@@ -889,9 +889,13 @@ static void tx_urb_complete(struct urb *urb) ...@@ -889,9 +889,13 @@ static void tx_urb_complete(struct urb *urb)
} }
free_urb: free_urb:
skb = (struct sk_buff *)urb->context; skb = (struct sk_buff *)urb->context;
zd_mac_tx_to_dev(skb, urb->status); /*
* grab 'usb' pointer before handing off the skb (since
* it might be freed by zd_mac_tx_to_dev or mac80211)
*/
cb = (struct zd_tx_skb_control_block *)skb->cb; cb = (struct zd_tx_skb_control_block *)skb->cb;
usb = &zd_hw_mac(cb->hw)->chip.usb; usb = &zd_hw_mac(cb->hw)->chip.usb;
zd_mac_tx_to_dev(skb, urb->status);
free_tx_urb(usb, urb); free_tx_urb(usb, urb);
tx_dec_submitted_urbs(usb); tx_dec_submitted_urbs(usb);
return; return;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册