[net 1/1] tipc: eliminate access after delete in group_filter_msg()

[net 1/1] tipc: eliminate access after delete in group_filter_msg()

[Jon Maloy]

KASAN revealed another access after delete in group.c. This time
it found that we read the header of a received message after the
buffer has been released.

Signed-off-by: Jon Maloy <jon.maloy@ericsson.com>
---
 net/tipc/group.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/tipc/group.c b/net/tipc/group.c
index 12777ca..95fec2c 100644
--- a/net/tipc/group.c
+++ b/net/tipc/group.c
@@ -497,6 +497,7 @@ void tipc_group_filter_msg(struct tipc_group *grp, struct sk_buff_head *inputq,
 	while ((skb = skb_peek(defq))) {
 		hdr = buf_msg(skb);
 		mtyp = msg_type(hdr);
+		blks = msg_blocks(hdr);
 		deliver = true;
 		ack = false;
 		update = false;
@@ -546,7 +547,6 @@ void tipc_group_filter_msg(struct tipc_group *grp, struct sk_buff_head *inputq,
 		if (!update)
 			continue;
 
-		blks = msg_blocks(hdr);
 		tipc_group_update_rcv_win(grp, blks, node, port, xmitq);
 	}
 	return;
-- 
2.1.4

Re: [net 1/1] tipc: eliminate access after delete in group_filter_msg()

[David Miller]

From: Jon Maloy <jon.maloy@ericsson.com>
Date: Mon, 27 Nov 2017 20:13:39 +0100

> KASAN revealed another access after delete in group.c. This time
> it found that we read the header of a received message after the
> buffer has been released.
> 
> Signed-off-by: Jon Maloy <jon.maloy@ericsson.com>

Looks good, applied, thanks Jon.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot