From b59da960549140e495e0fdcff086a62ebcdf5287 Mon Sep 17 00:00:00 2001
From: Ben Pfaff <blp@nicira.com>
Date: Fri, 21 Oct 2011 15:34:25 -0700
Subject: [PATCH] vport-capwap: Fix use-after-free on error path.

I originally meant just to fix the use of kfree_skb() instead of
consume_skb() on the success path, but then I realized that the failure
path returned an skb that it had just freed.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>
---
 datapath/vport-capwap.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/datapath/vport-capwap.c b/datapath/vport-capwap.c
index 3fb4ffb3..8d78b6d1 100644
--- a/datapath/vport-capwap.c
+++ b/datapath/vport-capwap.c
@@ -507,13 +507,13 @@ static struct sk_buff *fragment(struct sk_buff *skb, const struct vport *vport,
 		remaining -= frag_size;
 	}
 
-	goto out;
+	consume_skb(skb);
+	return result;
 
 error:
 	tnl_free_linked_skbs(result);
-out:
 	kfree_skb(skb);
-	return result;
+	return NULL;
 }
 
 /* All of the following functions relate to fragmentation reassembly. */
-- 
2.30.2