[ROSE]: Fix dereference of skb pointer after free.

If rose_route_frame return success we'll dereference a stale pointer. Likely this is only going to result in bad statistics for the ROSE interface. This fixes coverity 946. Signed-off-by: Ralf Baechle <[email protected]> Signed-off-by: David S. Miller <[email protected]>
laijs · Jul 4, 2006 · 8dc22d2 · 8dc22d2
1 parent 518d1c9
commit 8dc22d2
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/net/rose/rose_dev.c b/net/rose/rose_dev.c
@@ -59,6 +59,7 @@ static int rose_rebuild_header(struct sk_buff *skb)
 	struct net_device_stats *stats = netdev_priv(dev);
 	unsigned char *bp = (unsigned char *)skb->data;
 	struct sk_buff *skbn;
+	unsigned int len;
 
 #ifdef CONFIG_INET
 	if (arp_find(bp + 7, skb)) {
@@ -75,14 +76,16 @@ static int rose_rebuild_header(struct sk_buff *skb)
 
 	kfree_skb(skb);
 
+	len = skbn->len;
+
 	if (!rose_route_frame(skbn, NULL)) {
 		kfree_skb(skbn);
 		stats->tx_errors++;
 		return 1;
 	}
 
 	stats->tx_packets++;
-	stats->tx_bytes += skbn->len;
+	stats->tx_bytes += len;
 #endif
 	return 1;
 }