1. Patchew
  2. linux
  3. View series

[PATCH net] net: atm: fix use after free in lec_send()

Dan Carpenter posted 1 patch 9 months, 1 week ago 
net/atm/lec.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
[PATCH net] net: atm: fix use after free in lec_send()
Posted by Dan Carpenter 9 months, 1 week ago 
The ->send() operation frees skb so save the length before calling
->send() to avoid a use after free.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
---
 net/atm/lec.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/atm/lec.c b/net/atm/lec.c
index ffef658862db..a948dd47c3f3 100644
--- a/net/atm/lec.c
+++ b/net/atm/lec.c
@@ -181,6 +181,7 @@ static void
 lec_send(struct atm_vcc *vcc, struct sk_buff *skb)
 {
 	struct net_device *dev = skb->dev;
+	unsigned int len = skb->len;
 
 	ATM_SKB(skb)->vcc = vcc;
 	atm_account_tx(vcc, skb);
@@ -191,7 +192,7 @@ lec_send(struct atm_vcc *vcc, struct sk_buff *skb)
 	}
 
 	dev->stats.tx_packets++;
-	dev->stats.tx_bytes += skb->len;
+	dev->stats.tx_bytes += len;
 }
 
 static void lec_tx_timeout(struct net_device *dev, unsigned int txqueue)
-- 
2.47.2
Re: [PATCH net] net: atm: fix use after free in lec_send()
Posted by Simon Horman 9 months ago 
On Fri, Mar 14, 2025 at 01:10:57PM +0300, Dan Carpenter wrote:
> The ->send() operation frees skb so save the length before calling
> ->send() to avoid a use after free.
> 
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

Reviewed-by: Simon Horman <horms@kernel.org>

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.