Re: 2.5.69-mm9

From: Trond Myklebust (trond.myklebust@fys.uio.no)
Date: Sun May 25 2003 - 18:23:33 EST

Next message: Matt Mackall: "Re: Resend [PATCH] Make KOBJ_NAME_LEN match BUS_ID_SIZE"
Previous message: Neil Brown: "Re: 2.5.69-mm9"
In reply to: Neil Brown: "Re: 2.5.69-mm9"
Next in thread: Alistair J Strachan: "Re: 2.5.69-mm9"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>>>>> " " == Andrew Morton <akpm@xxxxxxxxx> writes:

> I would be inclined to say that this is a hitherto undiscovered
> use-after-free bug.

Does the following fix it?

Cheers,
Trond

--- linux-2.5.69/net/sunrpc/svcsock.c.orig 2003-05-20 08:34:35.000000000 +0200
+++ linux-2.5.69/net/sunrpc/svcsock.c 2003-05-26 01:16:33.000000000 +0200
@@ -600,6 +600,7 @@
return 0;
}
local_bh_enable();
+ svsk->sk_sk->stamp = skb->stamp;
skb_free_datagram(svsk->sk_sk, skb);
} else {
/* we can use it in-place */
@@ -614,6 +615,7 @@
skb->ip_summed = CHECKSUM_UNNECESSARY;
}
rqstp->rq_skbuff = skb;
+ svsk->sk_sk->stamp = skb->stamp;
}

rqstp->rq_arg.page_base = 0;
@@ -629,7 +631,6 @@
serv->sv_stats->netudpcnt++;

/* One down, maybe more to go... */
- svsk->sk_sk->stamp = skb->stamp;
svc_sock_received(svsk);

return len;
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Matt Mackall: "Re: Resend [PATCH] Make KOBJ_NAME_LEN match BUS_ID_SIZE"
Previous message: Neil Brown: "Re: 2.5.69-mm9"
In reply to: Neil Brown: "Re: 2.5.69-mm9"
Next in thread: Alistair J Strachan: "Re: 2.5.69-mm9"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]