net: Fix use after free by removing length arg from sk_data_ready callbacks.

[sfrench/cifs-2.6.git] / net / packet / af_packet.c

diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 72e0c71fb01dddeee530067b341601d7196b25b3..b85c67ccb797197abf51596ac5f3044131aa97d8 100644 (file)
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -1848,7 +1848,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
        skb->dropcount = atomic_read(&sk->sk_drops);
        __skb_queue_tail(&sk->sk_receive_queue, skb);
        spin_unlock(&sk->sk_receive_queue.lock);
-       sk->sk_data_ready(sk, skb->len);
+       sk->sk_data_ready(sk);
        return 0;
 
 drop_n_acct:
@@ -2054,7 +2054,7 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
        else
                prb_clear_blk_fill_status(&po->rx_ring);
 
-       sk->sk_data_ready(sk, 0);
+       sk->sk_data_ready(sk);
 
 drop_n_restore:
        if (skb_head != skb->data && skb_shared(skb)) {
@@ -2069,7 +2069,7 @@ ring_is_full:
        po->stats.stats1.tp_drops++;
        spin_unlock(&sk->sk_receive_queue.lock);
 
-       sk->sk_data_ready(sk, 0);
+       sk->sk_data_ready(sk);
        kfree_skb(copy_skb);
        goto drop_n_restore;
 }