Three use-after-free bugs:
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.5-ac4/net/rose/rose_dev.c:127:rose_rebuild_header: ERROR:FREE:122:127: Use-after-free of 'skbn'! set by 'kfree_skb':122
skb_set_owner_w(skbn, skb->sk);
kfree_skb(skb);
if (!rose_route_frame(skbn, NULL)) {
Start --->
kfree_skb(skbn);
stats->tx_errors++;
}
stats->tx_packets++;
Error --->
stats->tx_bytes += skbn->len;
#endif
return 1;
}
---------------------------------------------------------
[BUG] frees then uses the next pointer.
/u2/engler/mc/oses/linux/2.4.5-ac4/drivers/net/wan/lapbether.c:101:lapbeth_check_devices: ERROR:FREE:113:101: Use-after-free of 'lapbeth'! set by 'kfree':113
save_flags(flags);
cli();
lapbeth_prev = NULL;
Error --->
for (lapbeth = lapbeth_devices; lapbeth != NULL; lapbeth = lapbeth->next) {
if (!dev_get(lapbeth->ethname)) {
if (lapbeth_prev)
lapbeth_prev->next = lapbeth->next;
else
lapbeth_devices = lapbeth->next;
if (&lapbeth->axdev == dev)
result = 1;
unregister_netdev(&lapbeth->axdev);
dev_put(lapbeth->ethdev);
Start --->
kfree(lapbeth);
}
else
lapbeth_prev = lapbeth;
---------------------------------------------------------
[BUG] frees then uses the next pointer.
/u2/engler/mc/oses/linux/2.4.5-ac4/drivers/net/hamradio/bpqether.c:178:bpq_check_devices: ERROR:FREE:193:178: Use-after-free of 'bpq'! set by 'kfree':193
save_flags(flags);
cli();
bpq_prev = NULL;
Error --->
for (bpq = bpq_devices; bpq != NULL; bpq = bpq->next) {
... DELETED 9 lines ...
/* We should be locked, call
* unregister_netdevice directly
*/
unregister_netdevice(&bpq->axdev);
Start --->
kfree(bpq);
}
else
bpq_prev = bpq;
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Fri Jun 01 2001 - 00:56:25 EDT