projects
/
linux.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
net: Fix use after free by removing length arg from sk_data_ready callbacks.
[linux.git]
/
net
/
phonet
/
pep.c
diff --git
a/net/phonet/pep.c
b/net/phonet/pep.c
index e77411735de8e53f516e9b735c7966485af56470..70a547ea51777784fdd545b4c86d7da69991a53a 100644
(file)
--- a/
net/phonet/pep.c
+++ b/
net/phonet/pep.c
@@
-462,10
+462,9
@@
out:
queue:
skb->dev = NULL;
skb_set_owner_r(skb, sk);
queue:
skb->dev = NULL;
skb_set_owner_r(skb, sk);
- err = skb->len;
skb_queue_tail(queue, skb);
if (!sock_flag(sk, SOCK_DEAD))
skb_queue_tail(queue, skb);
if (!sock_flag(sk, SOCK_DEAD))
- sk->sk_data_ready(sk
, err
);
+ sk->sk_data_ready(sk);
return NET_RX_SUCCESS;
}
return NET_RX_SUCCESS;
}
@@
-587,10
+586,9
@@
static int pipe_handler_do_rcv(struct sock *sk, struct sk_buff *skb)
pn->rx_credits--;
skb->dev = NULL;
skb_set_owner_r(skb, sk);
pn->rx_credits--;
skb->dev = NULL;
skb_set_owner_r(skb, sk);
- err = skb->len;
skb_queue_tail(&sk->sk_receive_queue, skb);
if (!sock_flag(sk, SOCK_DEAD))
skb_queue_tail(&sk->sk_receive_queue, skb);
if (!sock_flag(sk, SOCK_DEAD))
- sk->sk_data_ready(sk
, err
);
+ sk->sk_data_ready(sk);
return NET_RX_SUCCESS;
case PNS_PEP_CONNECT_RESP:
return NET_RX_SUCCESS;
case PNS_PEP_CONNECT_RESP:
@@
-698,7
+696,7
@@
static int pep_do_rcv(struct sock *sk, struct sk_buff *skb)
skb_queue_head(&sk->sk_receive_queue, skb);
sk_acceptq_added(sk);
if (!sock_flag(sk, SOCK_DEAD))
skb_queue_head(&sk->sk_receive_queue, skb);
sk_acceptq_added(sk);
if (!sock_flag(sk, SOCK_DEAD))
- sk->sk_data_ready(sk
, 0
);
+ sk->sk_data_ready(sk);
return NET_RX_SUCCESS;
case PNS_PEP_DISCONNECT_REQ:
return NET_RX_SUCCESS;
case PNS_PEP_DISCONNECT_REQ: