[AX25]: AX.25 bug fixes.

- Flxnet CRC handling fix for mkiss.c - Use after free bug in ax25_ip.c

[AX25]: AX.25 bug fixes.
- Flxnet CRC handling fix for mkiss.c - Use after free bug in ax25_ip.c
78cf0a67 · Thomas Osterried · David S. Miller · 6badba35 · 78cf0a67 · 78cf0a67
Commit 78cf0a67 authored Jun 03, 2003 by Thomas Osterried Committed by David S. Miller Jun 03, 2003
Hide whitespace changes
Inline Side-by-side

Showing with 15 additions and 3 deletions

drivers/net/hamradio/mkiss.c drivers/net/hamradio/mkiss.c +6 -0

net/ax25/ax25_ip.c net/ax25/ax25_ip.c +9 -3

No files found.
--- a/drivers/net/hamradio/mkiss.c
+++ b/drivers/net/hamradio/mkiss.c
@@ -329,6 +329,12 @@ static void ax_bump(struct ax_disp *ax)
 				return;
 			}
 			ax->rcount -= 2;
+                        /* dl9sau bugfix: the trailling two bytes flexnet crc
+                         * will not be passed to the kernel. thus we have
+                         * to correct the kissparm signature, because it
+                         * indicates a crc but there's none
+			 */
+                        *ax->rbuff &= ~0x20;
 		}
 	}


--- a/net/ax25/ax25_ip.c
+++ b/net/ax25/ax25_ip.c
@@ -154,9 +154,15 @@ int ax25_rebuild_header(struct sk_buff *skb)
 				skb_set_owner_w(ourskb, skb->sk);

 			kfree_skb(skb);
-
-			src_c = *src;
-			dst_c = *dst;
+			/* dl9sau: bugfix
+			 * after kfree_skb(), dst and src which were pointer
+			 * to bp which is part of skb->data would not be valid
+			 * anymore hope that after skb_pull(ourskb, ..) our
+			 * dsc_c and src_c will not become invalid
+			 */
+			bp  = ourskb->data;
+			dst_c = *(ax25_address *)(bp + 1);
+			src_c = *(ax25_address *)(bp + 8);

 			skb_pull(ourskb, AX25_HEADER_LEN - 1);	/* Keep PID */
 			ourskb->nh.raw = ourskb->data;