Commit ffd9bf50 authored by Bart De Schuymer's avatar Bart De Schuymer Committed by Stephen Hemminger

[NETFILTER]: Fix use after free of skb in nf_reinject().

parent b1e24b12
...@@ -557,6 +557,18 @@ void nf_reinject(struct sk_buff *skb, struct nf_info *info, ...@@ -557,6 +557,18 @@ void nf_reinject(struct sk_buff *skb, struct nf_info *info,
rcu_read_lock(); rcu_read_lock();
/* Release those devices we held, or Alexey will kill me. */
if (info->indev) dev_put(info->indev);
if (info->outdev) dev_put(info->outdev);
#if defined(CONFIG_BRIDGE) || defined(CONFIG_BRIDGE_MODULE)
if (skb->nf_bridge) {
if (skb->nf_bridge->physindev)
dev_put(skb->nf_bridge->physindev);
if (skb->nf_bridge->physoutdev)
dev_put(skb->nf_bridge->physoutdev);
}
#endif
/* Drop reference to owner of hook which queued us. */ /* Drop reference to owner of hook which queued us. */
module_put(info->elem->owner); module_put(info->elem->owner);
...@@ -599,19 +611,6 @@ void nf_reinject(struct sk_buff *skb, struct nf_info *info, ...@@ -599,19 +611,6 @@ void nf_reinject(struct sk_buff *skb, struct nf_info *info,
} }
rcu_read_unlock(); rcu_read_unlock();
/* Release those devices we held, or Alexey will kill me. */
if (info->indev) dev_put(info->indev);
if (info->outdev) dev_put(info->outdev);
#if defined(CONFIG_BRIDGE) || defined(CONFIG_BRIDGE_MODULE)
if (skb->nf_bridge) {
if (skb->nf_bridge->physindev)
dev_put(skb->nf_bridge->physindev);
if (skb->nf_bridge->physoutdev)
dev_put(skb->nf_bridge->physoutdev);
}
#endif
if (verdict == NF_DROP) if (verdict == NF_DROP)
kfree_skb(skb); kfree_skb(skb);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment