From: Eric Dumazet <eric.dumazet@gmail.com>
Date: Mon, 23 Jan 2012 05:38:59 +0000 (+0000)
Subject: macvlan: fix a possible use after free
X-Git-Tag: v3.2.3~15
X-Git-Url: https://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=54652156e50409654d6d56bee221a3ad34dc0be9;p=pandora-kernel.git

macvlan: fix a possible use after free

[ Upstream commit 4ec7ac1203bcf21f5e3d977c9818b1a56c9ef40d ]

Commit bc416d9768 (macvlan: handle fragmented multicast frames) added a
possible use after free in macvlan_handle_frame(), since
ip_check_defrag() uses pskb_may_pull() : skb header can be reallocated.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Ben Greear <greearb@candelatech.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
index 74134970b709..959d4480a651 100644
--- a/drivers/net/macvlan.c
+++ b/drivers/net/macvlan.c
@@ -172,6 +172,7 @@ static rx_handler_result_t macvlan_handle_frame(struct sk_buff **pskb)
 		skb = ip_check_defrag(skb, IP_DEFRAG_MACVLAN);
 		if (!skb)
 			return RX_HANDLER_CONSUMED;
+		eth = eth_hdr(skb);
 		src = macvlan_hash_lookup(port, eth->h_source);
 		if (!src)
 			/* frame comes from an external address */