net: atm: fix use after free in lec_send()

thefossguy-ciq · thefossguy-ciq · commit 540dc76f975b · 2025-08-11T17:34:22.000+05:30
jira VULN-56262 cve CVE-2025-22004 commit-author Dan Carpenter <dan.carpenter@linaro.org> commit f3009d0 The ->send() operation frees skb so save the length before calling ->send() to avoid a use after free. Fixes: 1da177e ("Linux-2.6.12-rc2") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://patch.msgid.link/c751531d-4af4-42fe-affe-6104b34b791d@stanley.mountain Signed-off-by: Paolo Abeni <pabeni@redhat.com> (cherry picked from commit f3009d0) Signed-off-by: Pratham Patel <ppatel@ciq.com>
diff --git a/net/atm/lec.c b/net/atm/lec.c
@@ -180,6 +180,7 @@ static void
 lec_send(struct atm_vcc *vcc, struct sk_buff *skb)
 {
 	struct net_device *dev = skb->dev;
+	unsigned int len = skb->len;
 
 	ATM_SKB(skb)->vcc = vcc;
 	atm_account_tx(vcc, skb);
@@ -190,7 +191,7 @@ lec_send(struct atm_vcc *vcc, struct sk_buff *skb)
 	}
 
 	dev->stats.tx_packets++;
-	dev->stats.tx_bytes += skb->len;
+	dev->stats.tx_bytes += len;
 }
 
 static void lec_tx_timeout(struct net_device *dev, unsigned int txqueue)

Original file line number	Diff line number	Diff line change
`@@ -180,6 +180,7 @@ static void`
`180`	`180`	`lec_send(struct atm_vcc vcc, struct sk_buff skb)`
`181`	`181`	`{`
`182`	`182`	`struct net_device *dev = skb->dev;`
	`183`	`+ unsigned int len = skb->len;`
`183`	`184`
`184`	`185`	`ATM_SKB(skb)->vcc = vcc;`
`185`	`186`	`atm_account_tx(vcc, skb);`
`@@ -190,7 +191,7 @@ lec_send(struct atm_vcc vcc, struct sk_buff skb)`
`190`	`191`	`}`
`191`	`192`
`192`	`193`	`dev->stats.tx_packets++;`
`193`		`- dev->stats.tx_bytes += skb->len;`
	`194`	`+ dev->stats.tx_bytes += len;`
`194`	`195`	`}`
`195`	`196`
`196`	`197`	`static void lec_tx_timeout(struct net_device *dev, unsigned int txqueue)`