Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit cc9a06cd authored by Patrick McHardy's avatar Patrick McHardy Committed by David S. Miller
Browse files

[NETLINK]: Fix use-after-free in netlink_recvmsg 



The skb given to netlink_cmsg_recv_pktinfo is already freed, move it up
a few lines.

Coverity #948

Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent f8dc01f5

net/netlink/af_netlink.c

+3 −2
Original line number Original line Diff line number Diff line
@@ -1194,6 +1194,9 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock, 
		msg->msg_namelen = sizeof(*addr);

		msg->msg_namelen = sizeof(*addr);

	}

	}





	if (nlk->flags & NETLINK_RECV_PKTINFO)

		netlink_cmsg_recv_pktinfo(msg, skb);



	if (NULL == siocb->scm) {

	if (NULL == siocb->scm) {

		memset(&scm, 0, sizeof(scm));

		memset(&scm, 0, sizeof(scm));

		siocb->scm = &scm;

		siocb->scm = &scm;
@@ -1205,8 +1208,6 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock, 
		netlink_dump(sk);

		netlink_dump(sk);





	scm_recv(sock, msg, siocb->scm, flags);

	scm_recv(sock, msg, siocb->scm, flags);

	if (nlk->flags & NETLINK_RECV_PKTINFO)

		netlink_cmsg_recv_pktinfo(msg, skb);





out:

out:

	netlink_rcv_wake(sk);

	netlink_rcv_wake(sk);