Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit dbabad0c authored by Johannes Berg's avatar Johannes Berg Committed by John W. Linville
Browse files

zd1211rw: fix potential use-after-free bug 



zd_mac_tx_to_dev() could potentially free the skb, or hand it off
to mac80211 which might free it. Hence, this code needs to get the
usb pointer out of skb->cb before handing it off to that function.

Signed-off-by: default avatarJohannes Berg <johannes@sipsolutions.net>
Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
parent 6d6936e2

drivers/net/wireless/zd1211rw/zd_usb.c

+5 −1
Original line number Diff line number Diff line
@@ -889,9 +889,13 @@ static void tx_urb_complete(struct urb *urb) 
	}

free_urb:

	skb = (struct sk_buff *)urb->context;

	zd_mac_tx_to_dev(skb, urb->status);

	/*

	 * grab 'usb' pointer before handing off the skb (since

	 * it might be freed by zd_mac_tx_to_dev or mac80211)

	 */

	cb = (struct zd_tx_skb_control_block *)skb->cb;

	usb = &zd_hw_mac(cb->hw)->chip.usb;

	zd_mac_tx_to_dev(skb, urb->status);

	free_tx_urb(usb, urb);

	tx_dec_submitted_urbs(usb);

	return;