diff mbox series

[net] net: hsr: Fix potential use-after-free

Message ID 20221123063057.25952-1-yuehaibing@huawei.com (mailing list archive)
State Superseded
Delegated to: Netdev Maintainers
Headers show
Series [net] net: hsr: Fix potential use-after-free | expand

Checks

Context Check Description
netdev/tree_selection success Clearly marked for net
netdev/fixes_present success Fixes tag present in non-next series
netdev/subject_prefix success Link
netdev/cover_letter success Single patches do not need cover letters
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 0 this patch: 0
netdev/cc_maintainers warning 1 maintainers not CCed: claudiajkang@gmail.com
netdev/build_clang success Errors and warnings before: 0 this patch: 0
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 0 this patch: 0
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 20 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Yue Haibing Nov. 23, 2022, 6:30 a.m. UTC 
The skb is delivered to netif_rx() which may free it, after calling this,
dereferencing skb may trigger use-after-free.

Fixes: f266a683a480 ("net/hsr: Better frame dispatch")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
---
 net/hsr/hsr_forward.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

Comments

Paolo Abeni Nov. 24, 2022, 8:53 a.m. UTC | #1 
Hello,

On Wed, 2022-11-23 at 14:30 +0800, YueHaibing wrote:
> The skb is delivered to netif_rx() which may free it, after calling this,
> dereferencing skb may trigger use-after-free.
> 
> Fixes: f266a683a480 ("net/hsr: Better frame dispatch")
> Signed-off-by: YueHaibing <yuehaibing@huawei.com>

The code looks good, but the above is not the commit introducing the
issue, it just move the netif_rx() and later skb access from somewhere
else.

Please go deeper in git history and find the change that originated the
issue.

Thanks,

Paolo
Yue Haibing Nov. 25, 2022, 7:53 a.m. UTC | #2 
On 2022/11/24 16:53, Paolo Abeni wrote:
> Hello,
> 
> On Wed, 2022-11-23 at 14:30 +0800, YueHaibing wrote:
>> The skb is delivered to netif_rx() which may free it, after calling this,
>> dereferencing skb may trigger use-after-free.
>>
>> Fixes: f266a683a480 ("net/hsr: Better frame dispatch")
>> Signed-off-by: YueHaibing <yuehaibing@huawei.com>
> 
> The code looks good, but the above is not the commit introducing the
> issue, it just move the netif_rx() and later skb access from somewhere
> else.
> 
> Please go deeper in git history and find the change that originated the> issue.

Ok, will dig it.

> 
> Thanks,
> 
> Paolo
> 
> .
>
diff mbox series

Patch

diff --git a/net/hsr/hsr_forward.c b/net/hsr/hsr_forward.c
index a50429a62f74..56bb27d67a2e 100644
--- a/net/hsr/hsr_forward.c
+++ b/net/hsr/hsr_forward.c
@@ -351,17 +351,18 @@  static void hsr_deliver_master(struct sk_buff *skb, struct net_device *dev,
 			       struct hsr_node *node_src)
 {
 	bool was_multicast_frame;
-	int res;
+	int res, recv_len;
 
 	was_multicast_frame = (skb->pkt_type == PACKET_MULTICAST);
 	hsr_addr_subst_source(node_src, skb);
 	skb_pull(skb, ETH_HLEN);
+	recv_len = skb->len;
 	res = netif_rx(skb);
 	if (res == NET_RX_DROP) {
 		dev->stats.rx_dropped++;
 	} else {
 		dev->stats.rx_packets++;
-		dev->stats.rx_bytes += skb->len;
+		dev->stats.rx_bytes += recv_len;
 		if (was_multicast_frame)
 			dev->stats.multicast++;
 	}