From: Waldemar Rymarkiewicz Date: Mon, 26 Nov 2012 07:40:04 +0000 (+0100) Subject: NFC: Fix incorrect llcp pointer dereference X-Git-Tag: firefly_0821_release~3680^2~1480^2~17^2~80^2 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=289814918ce3af1296ac7d9b05508bde64e97348;p=firefly-linux-kernel-4.4.55.git NFC: Fix incorrect llcp pointer dereference nfc_llcp_ns(s) dereferences the s pointer which is freed a line above. In a result, it can produce a crash or you will read incorrect value. Signed-off-by: Waldemar Rymarkiewicz Signed-off-by: Samuel Ortiz --- diff --git a/net/nfc/llcp/llcp.c b/net/nfc/llcp/llcp.c index 9e8f4b2801f6..3d63636120b1 100644 --- a/net/nfc/llcp/llcp.c +++ b/net/nfc/llcp/llcp.c @@ -903,15 +903,18 @@ static void nfc_llcp_recv_hdlc(struct nfc_llcp_local *local, /* Remove skbs from the pending queue */ if (llcp_sock->send_ack_n != nr) { struct sk_buff *s, *tmp; + u8 n; llcp_sock->send_ack_n = nr; /* Remove and free all skbs until ns == nr */ skb_queue_walk_safe(&llcp_sock->tx_pending_queue, s, tmp) { + n = nfc_llcp_ns(s); + skb_unlink(s, &llcp_sock->tx_pending_queue); kfree_skb(s); - if (nfc_llcp_ns(s) == nr) + if (n == nr) break; }