forked from luck/tmp_suning_uos_patched
tipc: eliminate access after delete in group_filter_msg()
KASAN revealed another access after delete in group.c. This time it found that we read the header of a received message after the buffer has been released. Signed-off-by: Jon Maloy <jon.maloy@ericsson.com> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
5b5971df3b
commit
2e724dca77
|
@ -497,6 +497,7 @@ void tipc_group_filter_msg(struct tipc_group *grp, struct sk_buff_head *inputq,
|
|||
while ((skb = skb_peek(defq))) {
|
||||
hdr = buf_msg(skb);
|
||||
mtyp = msg_type(hdr);
|
||||
blks = msg_blocks(hdr);
|
||||
deliver = true;
|
||||
ack = false;
|
||||
update = false;
|
||||
|
@ -546,7 +547,6 @@ void tipc_group_filter_msg(struct tipc_group *grp, struct sk_buff_head *inputq,
|
|||
if (!update)
|
||||
continue;
|
||||
|
||||
blks = msg_blocks(hdr);
|
||||
tipc_group_update_rcv_win(grp, blks, node, port, xmitq);
|
||||
}
|
||||
return;
|
||||
|
|
Loading…
Reference in New Issue
Block a user