From 8cfad496c4257441710735ccef622f3829870164 Mon Sep 17 00:00:00 2001
From: Phoebe Buckheister <phoebe.buckheister@itwm.fraunhofer.de>
Date: Mon, 17 Mar 2014 18:30:19 +0100
Subject: ieee802154: properly unshare skbs in ieee802154 *_rcv functions

ieee802154 sockets do not properly unshare received skbs, which leads to
panics (at least) when they are used in conjunction with 6lowpan, so
run skb_share_check on received skbs.
6lowpan also contains a use-after-free, which is trivially fixed by
replacing the inlined skb_share_check with the explicit call.

Signed-off-by: Phoebe Buckheister <phoebe.buckheister@itwm.fraunhofer.de>
Tested-by: Alexander Aring <alex.aring@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
 net/ieee802154/raw.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'net/ieee802154/raw.c')

diff --git a/net/ieee802154/raw.c b/net/ieee802154/raw.c
index e5258cf6773b..74d54fae33d7 100644
--- a/net/ieee802154/raw.c
+++ b/net/ieee802154/raw.c
@@ -213,6 +213,10 @@ out:
 
 static int raw_rcv_skb(struct sock *sk, struct sk_buff *skb)
 {
+	skb = skb_share_check(skb, GFP_ATOMIC);
+	if (!skb)
+		return NET_RX_DROP;
+
 	if (sock_queue_rcv_skb(sk, skb) < 0) {
 		kfree_skb(skb);
 		return NET_RX_DROP;
-- 
cgit v1.2.3