Skip to content

Commit

Permalink
NFC: Fix incorrect llcp pointer dereference
Browse files Browse the repository at this point in the history 
nfc_llcp_ns(s) dereferences the s pointer which is freed a line
above. In a result, it can produce a crash or you will read
incorrect value.

Signed-off-by: Waldemar Rymarkiewicz <waldemar.rymarkiewicz@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
  • Loading branch information
Waldemar Rymarkiewicz authored and Samuel Ortiz committed Nov 28, 2012
1 parent 6bdd253 commit 2898149
Showing 1 changed file with 4 additions and 1 deletion.
5 changes: 4 additions & 1 deletion net/nfc/llcp/llcp.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -903,15 +903,18 @@ static void nfc_llcp_recv_hdlc(struct nfc_llcp_local *local,
/* Remove skbs from the pending queue */
if (llcp_sock->send_ack_n != nr) {
struct sk_buff *s, *tmp;
u8 n;

llcp_sock->send_ack_n = nr;

/* Remove and free all skbs until ns == nr */
skb_queue_walk_safe(&llcp_sock->tx_pending_queue, s, tmp) {
n = nfc_llcp_ns(s);

skb_unlink(s, &llcp_sock->tx_pending_queue);
kfree_skb(s);

if (nfc_llcp_ns(s) == nr)
if (n == nr)
break;
}

Expand Down

0 comments on commit 2898149

Please sign in to comment.