From a6901dba8700a7c4f2f2ae5db9a1368b375cfeed Mon Sep 17 00:00:00 2001 From: Ryan Hsu Date: Fri, 4 May 2018 12:19:50 -0700 Subject: qcacld-3.0: rearrange to avoid use-after-free of the skb The skb buffer is freed after the ealier sanity and then pass along to connectivity stats tracking. Rearragne the stats tracking into the scope of the skb sanity to assure the skb poitner is valid before accessing it and set to NULL after free to make sure it is cleared. Change-Id: I08106bced48fa8f23955fd261c679a5362ddd7a6 CRs-fixed: 2232362 --- core/hdd/src/wlan_hdd_tx_rx.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/core/hdd/src/wlan_hdd_tx_rx.c b/core/hdd/src/wlan_hdd_tx_rx.c index 6bc2688dc313..40a471edb692 100644 --- a/core/hdd/src/wlan_hdd_tx_rx.c +++ b/core/hdd/src/wlan_hdd_tx_rx.c @@ -1085,9 +1085,15 @@ drop_pkt_and_release_skb: drop_pkt: if (skb) { + /* track connectivity stats */ + if (pAdapter->pkt_type_bitmap) + hdd_tx_rx_collect_connectivity_stats_info(skb, pAdapter, + PKT_TYPE_TX_DROPPED, &pkt_type); + qdf_dp_trace_data_pkt(skb, QDF_DP_TRACE_DROP_PACKET_RECORD, 0, QDF_TX); kfree_skb(skb); + skb = NULL; } drop_pkt_accounting: @@ -1100,11 +1106,6 @@ drop_pkt_accounting: "%s : ARP packet dropped", __func__); } - /* track connectivity stats */ - if (pAdapter->pkt_type_bitmap) - hdd_tx_rx_collect_connectivity_stats_info(skb, pAdapter, - PKT_TYPE_TX_DROPPED, &pkt_type); - return NETDEV_TX_OK; } -- cgit v1.2.3