6lowpan: move skb_free from error paths in decompression
Currently we ensure that the skb is freed on every error path in IPHC
decompression which makes it easy to introduce skb leaks. By centralising
the skb_free into the receive function it makes future decompression routines
easier to maintain. It does come at the expense of ensuring that the skb
passed into the decompression routine must not be copied.
Signed-off-by: Martin Townsend <mtownsend1973@gmail.com>
Acked-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>
Acked-by: Alexander Aring <alex.aring@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c
index eef298d..dc23c55 100644
--- a/net/bluetooth/6lowpan.c
+++ b/net/bluetooth/6lowpan.c
@@ -294,20 +294,20 @@
peer = __peer_lookup_chan(dev, chan);
rcu_read_unlock();
if (!peer)
- goto drop;
+ return -EINVAL;
saddr = peer->eui64_addr;
daddr = dev->netdev->dev_addr;
/* at least two bytes will be used for the encoding */
if (skb->len < 2)
- goto drop;
+ return -EINVAL;
if (lowpan_fetch_skb_u8(skb, &iphc0))
- goto drop;
+ return -EINVAL;
if (lowpan_fetch_skb_u8(skb, &iphc1))
- goto drop;
+ return -EINVAL;
return lowpan_header_decompress(skb, netdev,
saddr, IEEE802154_ADDR_LONG,
@@ -315,9 +315,6 @@
IEEE802154_ADDR_LONG, EUI64_ADDR_LEN,
iphc0, iphc1);
-drop:
- kfree_skb(skb);
- return -EINVAL;
}
static int recv_pkt(struct sk_buff *skb, struct net_device *dev,
@@ -370,8 +367,10 @@
goto drop;
ret = iphc_decompress(local_skb, dev, chan);
- if (ret < 0)
+ if (ret < 0) {
+ kfree_skb(local_skb);
goto drop;
+ }
local_skb->protocol = htons(ETH_P_IPV6);
local_skb->pkt_type = PACKET_HOST;