Thread (2 messages) 2 messages, 2 authors, 2011-01-06
STALE5656d

[patch 2/2] dcb: use after free in dcb_flushapp()

From: Dan Carpenter <hidden>
Date: 2011-01-05 07:04:00
Also in: kernel-janitors
Subsystem: networking [general], the rest · Maintainers: "David S. Miller", Eric Dumazet, Jakub Kicinski, Paolo Abeni, Linus Torvalds

The original code has a use after free bug because it's not using the
_safe() version of the list_for_each_entry() macro.

Signed-off-by: Dan Carpenter <redacted>
diff --git a/net/dcb/dcbnl.c b/net/dcb/dcbnl.c
index 8881cb5..11bf6a2 100644
--- a/net/dcb/dcbnl.c
+++ b/net/dcb/dcbnl.c
@@ -1650,9 +1650,10 @@ EXPORT_SYMBOL(dcb_setapp);
 static void dcb_flushapp(void)
 {
 	struct dcb_app_type *app;
+	struct dcb_app_type *tmp;
 
 	spin_lock(&dcb_lock);
-	list_for_each_entry(app, &dcb_app_list, list) {
+	list_for_each_entry_safe(app, tmp, &dcb_app_list, list) {
 		list_del(&app->list);
 		kfree(app);
 	}
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help