[ATM] CLIP: Do not refer freed skbuff in clip_mkip() (CVE-2006-4997)

In clip_mkip(), skb->dev is dereferenced after clip_push(),
which frees up skb.

Advisory: AD_LAB-06009 (<adlab@venustech.com.cn>).
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>

net/atm/clip.c

@@ -507,9 +507,11 @@ static int clip_mkip(struct atm_vcc *vcc,int timeout)
 		else {
 			unsigned int len = skb->len;
 
+			skb_get(skb);
 			clip_push(vcc,skb);
 			PRIV(skb->dev)->stats.rx_packets--;
 			PRIV(skb->dev)->stats.rx_bytes -= len;
+			kfree_skb(skb);
 		}
 	return 0;
 }