[AX25]: AX.25 bug fixes.

- Flxnet CRC handling fix for mkiss.c
- Use after free bug in ax25_ip.c

2 files changed, 15 insertions, 3 deletions

diff --git a/drivers/net/hamradio/mkiss.c b/drivers/net/hamradio/mkiss.c
index 420b3d2bbea2..dd43d6cda55d 100644
--- a/drivers/net/hamradio/mkiss.c
+++ b/drivers/net/hamradio/mkiss.c
@@ -329,6 +329,12 @@ static void ax_bump(struct ax_disp *ax)
 				return;
 			}
 			ax->rcount -= 2;
+                        /* dl9sau bugfix: the trailling two bytes flexnet crc
+                         * will not be passed to the kernel. thus we have
+                         * to correct the kissparm signature, because it
+                         * indicates a crc but there's none
+			 */
+                        *ax->rbuff &= ~0x20;
 		}
  	}
 
diff --git a/net/ax25/ax25_ip.c b/net/ax25/ax25_ip.c
index 6ea092dedab0..dd9b97b001a3 100644
--- a/net/ax25/ax25_ip.c
+++ b/net/ax25/ax25_ip.c
@@ -154,9 +154,15 @@ int ax25_rebuild_header(struct sk_buff *skb)
 				skb_set_owner_w(ourskb, skb->sk);
 
 			kfree_skb(skb);
-
-			src_c = *src;
-			dst_c = *dst;
+			/* dl9sau: bugfix
+			 * after kfree_skb(), dst and src which were pointer
+			 * to bp which is part of skb->data would not be valid
+			 * anymore hope that after skb_pull(ourskb, ..) our
+			 * dsc_c and src_c will not become invalid
+			 */
+			bp  = ourskb->data;
+			dst_c = *(ax25_address *)(bp + 1);
+			src_c = *(ax25_address *)(bp + 8);
 
 			skb_pull(ourskb, AX25_HEADER_LEN - 1);	/* Keep PID */
 			ourskb->nh.raw = ourskb->data;