NFC: Fix incorrect llcp pointer dereference

nfc_llcp_ns(s) dereferences the s pointer which is freed a line above. In a result, it can produce a crash or you will read incorrect value. Signed-off-by: Waldemar Rymarkiewicz <waldemar.rymarkiewicz@tieto.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2012-11-26 08:40:04 +01:00 · 2012-11-26 08:40:04 +01:00 · 289814918c
parent 6bdd253f63
commit 289814918c
1 changed files with 4 additions and 1 deletions
--- a/net/nfc/llcp/llcp.c
+++ b/net/nfc/llcp/llcp.c
@ -903,15 +903,18 @@ static void nfc_llcp_recv_hdlc(struct nfc_llcp_local *local,
 	/* Remove skbs from the pending queue */
 	if (llcp_sock->send_ack_n != nr) {
 		struct sk_buff *s, *tmp;
+		u8 n;

 		llcp_sock->send_ack_n = nr;

 		/* Remove and free all skbs until ns == nr */
 		skb_queue_walk_safe(&llcp_sock->tx_pending_queue, s, tmp) {
+			n = nfc_llcp_ns(s);
+
 			skb_unlink(s, &llcp_sock->tx_pending_queue);
 			kfree_skb(s);

-			if (nfc_llcp_ns(s) == nr)
+			if (n == nr)
 				break;
 		}