netrom: fix double-free in nr_route_frame() - user/sven/linux.git

diff options

author	Jeongjun Park <aha310510@gmail.com>	2026-01-19 15:33:59 +0900
committer	Jakub Kicinski <kuba@kernel.org>	2026-01-20 19:15:40 -0800
commit	ba1096c315283ee3292765f6aea4cca15816c4f7 (patch)
tree	da710af7a192cee102e26d9d7568ace2aa732188 /security/smack
parent	cdf8de9c6bfe94508d251cb290ee66e34e6f3368 (diff)

netrom: fix double-free in nr_route_frame()davem/net/main davem/net/HEAD

In nr_route_frame(), old_skb is immediately freed without checking if nr_neigh->ax25 pointer is NULL. Therefore, if nr_neigh->ax25 is NULL, the caller function will free old_skb again, causing a double-free bug. Therefore, to prevent this, we need to modify it to check whether nr_neigh->ax25 is NULL before freeing old_skb. Cc: <stable@vger.kernel.org> Reported-by: syzbot+999115c3bf275797dc27@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/69694d6f.050a0220.58bed.0029.GAE@google.com/ Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Jeongjun Park <aha310510@gmail.com> Link: https://patch.msgid.link/20260119063359.10604-1-aha310510@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>

Diffstat (limited to 'security/smack')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: