From: Patrick McHardy Date: Mon, 13 Mar 2006 04:34:27 +0000 (-0800) Subject: [NETLINK]: Fix use-after-free in netlink_recvmsg X-Git-Tag: v2.6.16~52 X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cc9a06cd8d6fbb69b4d3c46760c132cfe312fb85;p=linux-2.6 [NETLINK]: Fix use-after-free in netlink_recvmsg The skb given to netlink_cmsg_recv_pktinfo is already freed, move it up a few lines. Coverity #948 Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c index 6b9772d958..59dc7d1406 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c @@ -1194,6 +1194,9 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock, msg->msg_namelen = sizeof(*addr); } + if (nlk->flags & NETLINK_RECV_PKTINFO) + netlink_cmsg_recv_pktinfo(msg, skb); + if (NULL == siocb->scm) { memset(&scm, 0, sizeof(scm)); siocb->scm = &scm; @@ -1205,8 +1208,6 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock, netlink_dump(sk); scm_recv(sock, msg, siocb->scm, flags); - if (nlk->flags & NETLINK_RECV_PKTINFO) - netlink_cmsg_recv_pktinfo(msg, skb); out: netlink_rcv_wake(sk);