From: Li RongQing Date: Sat, 18 Oct 2014 09:27:42 +0000 (+0800) Subject: ipv6: fix a potential use after free in ip6_offload.c X-Git-Tag: firefly_0821_release~176^2~3001^2~2 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=fc6fb41cd64fd810bcc69fe9776d2f500778f38f;p=firefly-linux-kernel-4.4.55.git ipv6: fix a potential use after free in ip6_offload.c pskb_may_pull() maybe change skb->data and make opth pointer oboslete, so set the opth again Signed-off-by: Li RongQing Acked-by: Eric Dumazet Signed-off-by: David S. Miller --- diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c index 9034f76ae013..91014d32488d 100644 --- a/net/ipv6/ip6_offload.c +++ b/net/ipv6/ip6_offload.c @@ -46,6 +46,7 @@ static int ipv6_gso_pull_exthdrs(struct sk_buff *skb, int proto) if (unlikely(!pskb_may_pull(skb, len))) break; + opth = (void *)skb->data; proto = opth->nexthdr; __skb_pull(skb, len); }