diff options
| author | Arnaldo Carvalho de Melo <acme@redhat.com> | 2009-09-11 11:35:22 -0700 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2009-09-11 12:54:23 -0700 |
| commit | ffcfb8db540ff879c2a85bf7e404954281443414 (patch) | |
| tree | 9b0014cd056c4283e6df924a5fe28ab54542c1d3 /net/appletalk/aarp.c | |
| parent | 8ba69ba6a324b13e1190fc31e41954d190fd4f1d (diff) | |
Subject: [PATCH] appletalk: Fix skb leak when ipddp interface is not loaded
And also do a better job of returning proper NET_{RX,XMIT}_ values.
Based on a patch and suggestions by Mark Smith.
This fixes CVE-2009-2903
Reported-by: Mark Smith <lk-netdev@lk-netdev.nosense.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/appletalk/aarp.c')
| -rw-r--r-- | net/appletalk/aarp.c | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/net/appletalk/aarp.c b/net/appletalk/aarp.c index 89f99d3beb60..9d4adfd22757 100644 --- a/net/appletalk/aarp.c +++ b/net/appletalk/aarp.c @@ -599,7 +599,7 @@ int aarp_send_ddp(struct net_device *dev, struct sk_buff *skb, /* Non ELAP we cannot do. */ if (dev->type != ARPHRD_ETHER) - return -1; + goto free_it; skb->dev = dev; skb->protocol = htons(ETH_P_ATALK); @@ -634,7 +634,7 @@ int aarp_send_ddp(struct net_device *dev, struct sk_buff *skb, if (!a) { /* Whoops slipped... good job it's an unreliable protocol 8) */ write_unlock_bh(&aarp_lock); - return -1; + goto free_it; } /* Set up the queue */ @@ -663,15 +663,21 @@ out_unlock: write_unlock_bh(&aarp_lock); /* Tell the ddp layer we have taken over for this frame. */ - return 0; + goto sent; sendit: if (skb->sk) skb->priority = skb->sk->sk_priority; - dev_queue_xmit(skb); + if (dev_queue_xmit(skb)) + goto drop; sent: - return 1; + return NET_XMIT_SUCCESS; +free_it: + kfree_skb(skb); +drop: + return NET_XMIT_DROP; } +EXPORT_SYMBOL(aarp_send_ddp); /* * An entry in the aarp unresolved queue has become resolved. Send |