qiurui
/
Centos-kernel-stream-9
mirror of https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

net: atm: fix use after free in lec_send() 

JIRA: https://issues.redhat.com/browse/RHEL-93133
CVE: CVE-2025-22004

commit f3009d0d6ab78053117f8857b921a8237f4d17b3
Author: Dan Carpenter <dan.carpenter@linaro.org>
Date:   Fri Mar 14 13:10:57 2025 +0300

    net: atm: fix use after free in lec_send()

    The ->send() operation frees skb so save the length before calling
    ->send() to avoid a use after free.

    Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
    Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
    Reviewed-by: Simon Horman <horms@kernel.org>
    Link: https://patch.msgid.link/c751531d-4af4-42fe-affe-6104b34b791d@stanley.mountain
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>

Signed-off-by: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>
This commit is contained in:
CKI Backport Bot 2025-05-22 08:41:12 +00:00
parent 06792db1bb
commit 635f8f4064
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
net/atm/lec.c
View File

@ -181,6 +181,7 @@ static void
lec_send(struct atm_vcc *vcc, struct sk_buff *skb) lec_send(struct atm_vcc *vcc, struct sk_buff *skb)
{ {
struct net_device *dev = skb->dev; struct net_device *dev = skb->dev;
unsigned int len = skb->len;
ATM_SKB(skb)->vcc = vcc; ATM_SKB(skb)->vcc = vcc;
atm_account_tx(vcc, skb); atm_account_tx(vcc, skb);
@ -191,7 +192,7 @@ lec_send(struct atm_vcc *vcc, struct sk_buff *skb)
} }
dev->stats.tx_packets++; dev->stats.tx_packets++;
dev->stats.tx_bytes += skb->len; dev->stats.tx_bytes += len;
} }
static void lec_tx_timeout(struct net_device *dev, unsigned int txqueue) static void lec_tx_timeout(struct net_device *dev, unsigned int txqueue)