Commit 071d9393 authored by Krzysztof Mazur's avatar Krzysztof Mazur Committed by David Woodhouse

pppoatm: drop frames to not-ready vcc

The vcc_destroy_socket() closes vcc before the protocol is detached
from vcc by calling vcc->push() with NULL skb. This leaves some time
window, where the protocol may call vcc->send() on closed vcc
and crash.

Now pppoatm_send(), like vcc_sendmsg(), checks for vcc flags that
indicate that vcc is not ready. If the vcc is not ready we just
drop frame. Queueing frames is much more complicated because we
don't have callbacks that inform us about vcc flags changes.
Signed-off-by: default avatarKrzysztof Mazur <krzysiek@podlesie.net>
Signed-off-by: default avatarDavid Woodhouse <David.Woodhouse@intel.com>
parent 3ac10800
...@@ -284,6 +284,13 @@ static int pppoatm_send(struct ppp_channel *chan, struct sk_buff *skb) ...@@ -284,6 +284,13 @@ static int pppoatm_send(struct ppp_channel *chan, struct sk_buff *skb)
bh_lock_sock(sk_atm(vcc)); bh_lock_sock(sk_atm(vcc));
if (sock_owned_by_user(sk_atm(vcc))) if (sock_owned_by_user(sk_atm(vcc)))
goto nospace; goto nospace;
if (test_bit(ATM_VF_RELEASED, &vcc->flags) ||
test_bit(ATM_VF_CLOSE, &vcc->flags) ||
!test_bit(ATM_VF_READY, &vcc->flags)) {
bh_unlock_sock(sk_atm(vcc));
kfree_skb(skb);
return DROP_PACKET;
}
switch (pvcc->encaps) { /* LLC encapsulation needed */ switch (pvcc->encaps) { /* LLC encapsulation needed */
case e_llc: case e_llc:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment