From cc9a06cd8d6fbb69b4d3c46760c132cfe312fb85 Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Sun, 12 Mar 2006 20:34:27 -0800 Subject: [PATCH] [NETLINK]: Fix use-after-free in netlink_recvmsg The skb given to netlink_cmsg_recv_pktinfo is already freed, move it up a few lines. Coverity #948 Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- net/netlink/af_netlink.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c index 6b9772d958..59dc7d1406 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c @@ -1194,6 +1194,9 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock, msg->msg_namelen = sizeof(*addr); } + if (nlk->flags & NETLINK_RECV_PKTINFO) + netlink_cmsg_recv_pktinfo(msg, skb); + if (NULL == siocb->scm) { memset(&scm, 0, sizeof(scm)); siocb->scm = &scm; @@ -1205,8 +1208,6 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock, netlink_dump(sk); scm_recv(sock, msg, siocb->scm, flags); - if (nlk->flags & NETLINK_RECV_PKTINFO) - netlink_cmsg_recv_pktinfo(msg, skb); out: netlink_rcv_wake(sk); -- 2.39.5