[PATCH] staging: rtl8192e: fix potential use after free

Dan Carpenter dan.carpenter at oracle.com
Tue Nov 5 14:58:51 UTC 2019


On Tue, Nov 05, 2019 at 10:49:11PM +0800, Pan Bian wrote:
> The variable skb is released via kfree_skb() when the return value of
> _rtl92e_tx is not zero. However, after that, skb is accessed again to
> read its length, which may result in a use after free bug. This patch
> fixes the bug by moving the release operation to where skb is never
> used later.
> 
> Signed-off-by: Pan Bian <bianpan2016 at 163.com>

Reviewed-by: Dan Carpenter <dan.carpenter at oracle.com>

regards,
dan carpenter



More information about the devel mailing list