zd1211rw: fix potential use-after-free bug
authorJohannes Berg <johannes@sipsolutions.net>
Wed, 7 May 2008 23:43:59 +0000 (01:43 +0200)
committerJohn W. Linville <linville@tuxdriver.com>
Tue, 13 May 2008 01:22:19 +0000 (21:22 -0400)
zd_mac_tx_to_dev() could potentially free the skb, or hand it off
to mac80211 which might free it. Hence, this code needs to get the
usb pointer out of skb->cb before handing it off to that function.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
drivers/net/wireless/zd1211rw/zd_usb.c

index 5316074f39f0b0c28e73ace87813ecb0e3883ef6..12e24f04dddfcd48aa65526dfe94bbd5beab5c83 100644 (file)
@@ -889,9 +889,13 @@ static void tx_urb_complete(struct urb *urb)
        }
 free_urb:
        skb = (struct sk_buff *)urb->context;
-       zd_mac_tx_to_dev(skb, urb->status);
+       /*
+        * grab 'usb' pointer before handing off the skb (since
+        * it might be freed by zd_mac_tx_to_dev or mac80211)
+        */
        cb = (struct zd_tx_skb_control_block *)skb->cb;
        usb = &zd_hw_mac(cb->hw)->chip.usb;
+       zd_mac_tx_to_dev(skb, urb->status);
        free_tx_urb(usb, urb);
        tx_dec_submitted_urbs(usb);
        return;