vport-capwap: Fix use-after-free on error path.

I originally meant just to fix the use of kfree_skb() instead of
consume_skb() on the success path, but then I realized that the failure
path returned an skb that it had just freed.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

diff --git a/datapath/vport-capwap.c b/datapath/vport-capwap.c
index 3fb4ffb36f750296824b9051ceb048def858c6d4..8d78b6d10df0d77772b473567e784c8fdc93792c 100644 (file)
--- a/datapath/vport-capwap.c
+++ b/datapath/vport-capwap.c
@@ -507,13 +507,13 @@ static struct sk_buff *fragment(struct sk_buff *skb, const struct vport *vport,
                remaining -= frag_size;
        }
 
-       goto out;
+       consume_skb(skb);
+       return result;
 
 error:
        tnl_free_linked_skbs(result);
-out:
        kfree_skb(skb);
-       return result;
+       return NULL;
 }
 
 /* All of the following functions relate to fragmentation reassembly. */