Commit f3009d0d authored Mar 14, 2025 by Dan Carpenter Committed by Paolo Abeni Mar 20, 2025

net: atm: fix use after free in lec_send()



The ->send() operation frees skb so save the length before calling
->send() to avoid a use after free.

Fixes: 1da177e4 ("Linux-2.6.12-rc2")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/c751531d-4af4-42fe-affe-6104b34b791d@stanley.mountain


Signed-off-by: Paolo Abeni <pabeni@redhat.com>

parent 559847f5

net/atm/lec.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -181,6 +181,7 @@ static void
		lec_send(struct atm_vcc vcc, struct sk_buff skb)
		{
		struct net_device *dev = skb->dev;
		unsigned int len = skb->len;

		ATM_SKB(skb)->vcc = vcc;
		atm_account_tx(vcc, skb);
		@@ -191,7 +192,7 @@ lec_send(struct atm_vcc vcc, struct sk_buff skb)
		}

		dev->stats.tx_packets++;
		dev->stats.tx_bytes += skb->len;
		dev->stats.tx_bytes += len;
		}

		static void lec_tx_timeout(struct net_device *dev, unsigned int txqueue)