From: Ben Pfaff <blp@nicira.com>
Date: Fri, 21 Oct 2011 22:34:25 +0000 (-0700)
Subject: vport-capwap: Fix use-after-free on error path.
X-Git-Url: https://pintos-os.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b59da960549140e495e0fdcff086a62ebcdf5287;p=openvswitch

vport-capwap: Fix use-after-free on error path.

I originally meant just to fix the use of kfree_skb() instead of
consume_skb() on the success path, but then I realized that the failure
path returned an skb that it had just freed.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>
---

diff --git a/datapath/vport-capwap.c b/datapath/vport-capwap.c
index 3fb4ffb3..8d78b6d1 100644
--- a/datapath/vport-capwap.c
+++ b/datapath/vport-capwap.c
@@ -507,13 +507,13 @@ static struct sk_buff *fragment(struct sk_buff *skb, const struct vport *vport,
 		remaining -= frag_size;
 	}
 
-	goto out;
+	consume_skb(skb);
+	return result;
 
 error:
 	tnl_free_linked_skbs(result);
-out:
 	kfree_skb(skb);
-	return result;
+	return NULL;
 }
 
 /* All of the following functions relate to fragmentation reassembly. */