From: Erik Hugne <erik.hugne@ericsson.com>
Date: Fri, 18 Sep 2015 08:46:31 +0000 (+0200)
Subject: tipc: reinitialize pointer after skb linearize
X-Git-Url: http://git.cdn.openwrt.org/?a=commitdiff_plain;h=4e3ae00100945d39e1f83b7c0179a114ccf55759;p=openwrt%2Fstaging%2Fblogic.git

tipc: reinitialize pointer after skb linearize

The msg pointer into header may change after skb linearization.
We must reinitialize it after calling skb_linearize to prevent
operating on a freed or invalid pointer.

Signed-off-by: Erik Hugne <erik.hugne@ericsson.com>
Reported-by: Tamás Végh <tamas.vegh@ericsson.com>
Acked-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---

diff --git a/net/tipc/msg.c b/net/tipc/msg.c
index 562c926a51cc..c5ac436235e0 100644
--- a/net/tipc/msg.c
+++ b/net/tipc/msg.c
@@ -539,6 +539,7 @@ bool tipc_msg_lookup_dest(struct net *net, struct sk_buff *skb, int *err)
 	*err = -TIPC_ERR_NO_NAME;
 	if (skb_linearize(skb))
 		return false;
+	msg = buf_msg(skb);
 	if (msg_reroute_cnt(msg))
 		return false;
 	dnode = addr_domain(net, msg_lookup_scope(msg));