net: ipconfig: fix use after free
authorUwe Kleine-König <u.kleine-koenig@pengutronix.de>
Wed, 10 Aug 2016 09:44:17 +0000 (11:44 +0200)
committerDavid S. Miller <davem@davemloft.net>
Wed, 10 Aug 2016 21:04:23 +0000 (14:04 -0700)
ic_close_devs() calls kfree() for all devices's ic_device. Since commit
2647cffb2bc6 ("net: ipconfig: Support using "delayed" DHCP replies")
the active device's ic_device is still used however to print the
ipconfig summary which results in an oops if the memory is already
changed. So delay freeing until after the autoconfig results are
reported.

Fixes: 2647cffb2bc6 ("net: ipconfig: Support using "delayed" DHCP replies")
Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Tested-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv4/ipconfig.c

index 42cf629357b58c28d6f2325099c7f1452c16b28c..66c2fe602810e7233fe7ff2c8f764f7b8b18eebc 100644 (file)
@@ -1492,14 +1492,6 @@ static int __init ip_auto_config(void)
        if (ic_defaults() < 0)
                return -1;
 
-       /*
-        * Close all network devices except the device we've
-        * autoconfigured and set up routes.
-        */
-       ic_close_devs();
-       if (ic_setup_if() < 0 || ic_setup_routes() < 0)
-               return -1;
-
        /*
         * Record which protocol was actually used.
         */
@@ -1534,6 +1526,15 @@ static int __init ip_auto_config(void)
        pr_cont("\n");
 #endif /* !SILENT */
 
+       /*
+        * Close all network devices except the device we've
+        * autoconfigured and set up routes.
+        */
+       ic_close_devs();
+       if (ic_setup_if() < 0 || ic_setup_routes() < 0)
+               return -1;
+
+
        return 0;
 }