If we run out of space to put a new port in a bridge port group, we
leave dev->br_port pointing to freed memory. Found by Dan Eble.
Fix below. Should go into both 2.4 and 2.5.
--- linux/net/bridge/br_if.c.orig 2003-02-06 13:15:31.000000000 +0100
+++ linux/net/bridge/br_if.c 2003-02-06 13:15:43.000000000 +0100
@@ -155,8 +155,6 @@
p->path_cost = br_initial_port_cost(dev);
p->priority = 0x80;
- dev->br_port = p;
-
for (i=1;i<255;i++)
if (br_get_port(br, i) == NULL)
break;
@@ -166,6 +164,8 @@
return NULL;
}
+ dev->br_port = p;
+
p->port_no = i;
br_init_port(p);
p->state = BR_STATE_DISABLED;
_______________________________________________
Bridge mailing list
[EMAIL PROTECTED]
http://www.math.leidenuniv.nl/mailman/listinfo/bridge
