Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 28981491 authored by Waldemar Rymarkiewicz's avatar Waldemar Rymarkiewicz Committed by Samuel Ortiz
Browse files

NFC: Fix incorrect llcp pointer dereference 



nfc_llcp_ns(s) dereferences the s pointer which is freed a line
above. In a result, it can produce a crash or you will read
incorrect value.

Signed-off-by: default avatarWaldemar Rymarkiewicz <waldemar.rymarkiewicz@tieto.com>
Signed-off-by: default avatarSamuel Ortiz <sameo@linux.intel.com>
parent 6bdd253f

net/nfc/llcp/llcp.c

+4 −1
Original line number Diff line number Diff line
@@ -903,15 +903,18 @@ static void nfc_llcp_recv_hdlc(struct nfc_llcp_local *local, 
	/* Remove skbs from the pending queue */

	if (llcp_sock->send_ack_n != nr) {

		struct sk_buff *s, *tmp;

		u8 n;



		llcp_sock->send_ack_n = nr;



		/* Remove and free all skbs until ns == nr */

		skb_queue_walk_safe(&llcp_sock->tx_pending_queue, s, tmp) {

			n = nfc_llcp_ns(s);



			skb_unlink(s, &llcp_sock->tx_pending_queue);

			kfree_skb(s);



			if (nfc_llcp_ns(s) == nr)

			if (n == nr)

				break;

		}