[NETLINK]: Fix use-after-free in netlink_recvmsg The skb given to netlink_cmsg_recv_pktinfo is already freed, move it up a few lines. Coverity #948 Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>

commit: cc9a06cd8d6fbb69b4d3c46760c132cfe312fb85 [log] [tgz]
author: Patrick McHardy <kaber@trash.net> Sun Mar 12 20:34:27 2006 -0800
committer: David S. Miller <davem@sunset.davemloft.net> Sun Mar 12 20:39:38 2006 -0800
tree: c6dce78c5e845d9cd4d5baab7c8b29306fa77541
parent: f8dc01f543f28253abeef649987249210d8db3cc [diff]
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 6b9772d..59dc7d1 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c

@@ -1194,6 +1194,9 @@
 		msg->msg_namelen = sizeof(*addr);
 	}
 
+	if (nlk->flags & NETLINK_RECV_PKTINFO)
+		netlink_cmsg_recv_pktinfo(msg, skb);
+
 	if (NULL == siocb->scm) {
 		memset(&scm, 0, sizeof(scm));
 		siocb->scm = &scm;
@@ -1205,8 +1208,6 @@
 		netlink_dump(sk);
 
 	scm_recv(sock, msg, siocb->scm, flags);
-	if (nlk->flags & NETLINK_RECV_PKTINFO)
-		netlink_cmsg_recv_pktinfo(msg, skb);
 
 out:
 	netlink_rcv_wake(sk);
commit	cc9a06cd8d6fbb69b4d3c46760c132cfe312fb85	[log] [tgz]
author	Patrick McHardy <kaber@trash.net>	Sun Mar 12 20:34:27 2006 -0800
committer	David S. Miller <davem@sunset.davemloft.net>	Sun Mar 12 20:39:38 2006 -0800
tree	c6dce78c5e845d9cd4d5baab7c8b29306fa77541
parent	f8dc01f543f28253abeef649987249210d8db3cc [diff]