The Coverity checker spotted the following use-after-free of "skb" in
drivers/net/wireless/libertas/rx.c introduced by
commit 9012b28a407511fb355f6d2176a12d4653489672 (WTF did this commit
with the title "libertas: make debug configurable" add the
"skb->protocol = __constant_htons(0x0019);" line?):
<-- snip -->
...
static int process_rxed_802_11_packet(wlan_private * priv, struct sk_buff *skb)
{
...
libertas_upload_rx_packet(priv, skb);
ret = 0;
done:
skb->protocol = __constant_htons(0x0019); /* ETH_P_80211_RAW */
...
<-- snip -->
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
On Fri, 2007-06-29 at 21:51 +0200, Adrian Bunk wrote:
> The Coverity checker spotted the following use-after-free of "skb" in
> drivers/net/wireless/libertas/rx.c introduced by
> commit 9012b28a407511fb355f6d2176a12d4653489672 (WTF did this commit
> with the title "libertas: make debug configurable" add the
> "skb->protocol = __constant_htons(0x0019);" line?):
Holger, that's all you :)
dan
> <-- snip -->
>
> ...
> static int process_rxed_802_11_packet(wlan_private * priv, struct sk_buff *skb)
> {
> ...
> libertas_upload_rx_packet(priv, skb);
>
> ret = 0;
>
> done:
> skb->protocol = __constant_htons(0x0019); /* ETH_P_80211_RAW */
> ...
>
> <-- snip -->
>
>
> cu
> Adrian
>
libertas: remove a coverity bug
... by removing an ill-conceived, useless line.
Signed-off-by: Holger Schurig <[email protected]>
---
Dunno how this line made it into the patch that I made in
February and was commited in May. At that time, I didn't hardly
knew anything about skb's at all and certainly didn't play with
raw ethernet types. Maybe it was a remnant of some bugus test
that I or the committer did?!?
I tested the driver after the removal of this line with ping and
ssh, but not anything else (e.g. no mesh, no tshark monitoring).
drivers/net/wireless/libertas/rx.c | 1 -
1 files changed, 0 insertions(+), 1 deletions(-)
diff --git a/drivers/net/wireless/libertas/rx.c b/drivers/net/wireless/libertas/rx.c
index 88d9d2d..769c86f 100644
--- a/drivers/net/wireless/libertas/rx.c
+++ b/drivers/net/wireless/libertas/rx.c
@@ -439,7 +439,6 @@ static int process_rxed_802_11_packet(wlan_private * priv, struct sk_buff *skb)
ret = 0;
done:
- skb->protocol = __constant_htons(0x0019); /* ETH_P_80211_RAW */
lbs_deb_leave_args(LBS_DEB_RX, "ret %d", ret);
return ret;
}