eeepc-laptop: fix use after free

[linux-2.6] / net / sched / act_mirred.c

diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c
index 6cb5e30dcf8c726e914d52ca28f9399b60f80713..70341c020b6de33586e7fb02f41857c3770122cb 100644 (file)
--- a/net/sched/act_mirred.c
+++ b/net/sched/act_mirred.c
@@ -54,6 +54,10 @@ static inline int tcf_mirred_release(struct tcf_mirred *m, int bind)
        return 0;
 }
 
+static const struct nla_policy mirred_policy[TCA_MIRRED_MAX + 1] = {
+       [TCA_MIRRED_PARMS]      = { .len = sizeof(struct tc_mirred) },
+};
+
 static int tcf_mirred_init(struct nlattr *nla, struct nlattr *est,
                           struct tc_action *a, int ovr, int bind)
 {
@@ -68,12 +72,11 @@ static int tcf_mirred_init(struct nlattr *nla, struct nlattr *est,
        if (nla == NULL)
                return -EINVAL;
 
-       err = nla_parse_nested(tb, TCA_MIRRED_MAX, nla, NULL);
+       err = nla_parse_nested(tb, TCA_MIRRED_MAX, nla, mirred_policy);
        if (err < 0)
                return err;
 
-       if (tb[TCA_MIRRED_PARMS] == NULL ||
-           nla_len(tb[TCA_MIRRED_PARMS]) < sizeof(*parm))
+       if (tb[TCA_MIRRED_PARMS] == NULL)
                return -EINVAL;
        parm = nla_data(tb[TCA_MIRRED_PARMS]);
 
@@ -161,7 +164,7 @@ bad_mirred:
                if (skb2 != NULL)
                        kfree_skb(skb2);
                m->tcf_qstats.overlimits++;
-               m->tcf_bstats.bytes += skb->len;
+               m->tcf_bstats.bytes += qdisc_pkt_len(skb);
                m->tcf_bstats.packets++;
                spin_unlock(&m->tcf_lock);
                /* should we be asking for packet to be dropped?
@@ -181,7 +184,7 @@ bad_mirred:
                goto bad_mirred;
        }
 
-       m->tcf_bstats.bytes += skb2->len;
+       m->tcf_bstats.bytes += qdisc_pkt_len(skb2);
        m->tcf_bstats.packets++;
        if (!(at & AT_EGRESS))
                if (m->tcfm_ok_push)