Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / ffcfb8db540ff879c2a85bf7e404954281443414^! / . / net / appletalk / aarp.c
commitffcfb8db540ff879c2a85bf7e404954281443414[log] [tgz]
authorArnaldo Carvalho de Melo <acme@redhat.com>Fri Sep 11 11:35:22 2009 -0700
committerDavid S. Miller <davem@davemloft.net>Fri Sep 11 12:54:23 2009 -0700
tree9b0014cd056c4283e6df924a5fe28ab54542c1d3
parent8ba69ba6a324b13e1190fc31e41954d190fd4f1d [diff] [blame]
Subject: [PATCH] appletalk: Fix skb leak when ipddp interface is not loaded

And also do a better job of returning proper NET_{RX,XMIT}_ values.

Based on a patch and suggestions by Mark Smith.

This fixes CVE-2009-2903

Reported-by: Mark Smith <lk-netdev@lk-netdev.nosense.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/appletalk/aarp.c b/net/appletalk/aarp.c
index 89f99d3..9d4adfd 100644
--- a/net/appletalk/aarp.c
+++ b/net/appletalk/aarp.c

@@ -599,7 +599,7 @@
 
 	/* Non ELAP we cannot do. */
 	if (dev->type != ARPHRD_ETHER)
-		return -1;
+		goto free_it;
 
 	skb->dev = dev;
 	skb->protocol = htons(ETH_P_ATALK);
@@ -634,7 +634,7 @@
 	if (!a) {
 		/* Whoops slipped... good job it's an unreliable protocol 8) */
 		write_unlock_bh(&aarp_lock);
-		return -1;
+		goto free_it;
 	}
 
 	/* Set up the queue */
@@ -663,15 +663,21 @@
 	write_unlock_bh(&aarp_lock);
 
 	/* Tell the ddp layer we have taken over for this frame. */
-	return 0;
+	goto sent;
 
 sendit:
 	if (skb->sk)
 		skb->priority = skb->sk->sk_priority;
-	dev_queue_xmit(skb);
+	if (dev_queue_xmit(skb))
+		goto drop;
 sent:
-	return 1;
+	return NET_XMIT_SUCCESS;
+free_it:
+	kfree_skb(skb);
+drop:
+	return NET_XMIT_DROP;
 }
+EXPORT_SYMBOL(aarp_send_ddp);
 
 /*
  *	An entry in the aarp unresolved queue has become resolved. Send