On Mon, 2014-11-17 at 12:27 +0100, Michal Kazior wrote: > After fragmentation reassembly was complete code > tried to dereference hdr pointer which pointed to > data of an sk_buff that has been freed. Curious. This bug has been around forever (since the introduction of mac80211). I wonder what changed that you *also* found it now - because we also found it recently! > --- a/net/mac80211/rx.c > +++ b/net/mac80211/rx.c > @@ -1854,6 +1854,7 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx) > /* Complete frame has been reassembled - process it now */ > status = IEEE80211_SKB_RXCB(rx->skb); > status->rx_flags |= IEEE80211_RX_FRAGMENTED; > + hdr = (struct ieee80211_hdr *)rx->skb->data; This is technically correct, but useless. I already have this patch in my tree instead: https://git.kernel.org/cgit/linux/kernel/git/jberg/mac80211.git/commit/?id=b8fff407a180286aa683d543d878d98d9fc57b13 johannes -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
