Commit f17199d8 authored by Florian Westphal's avatar Florian Westphal Committed by Ben Hutchings

netfilter: bridge: don't leak skb in error paths

commit dd302b59 upstream.

br_nf_dev_queue_xmit must free skb in its error path.
NF_DROP is misleading -- its an okfn, not a netfilter hook.

Fixes: 462fb2af ("bridge : Sanitize skb before it enters the IP stack")
Fixes: efb6de9b ("netfilter: bridge: forward IPv6 fragmented packets")
Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
[bwh: Backported to 3.2:
 - Adjust filename
 - Drop IPv6 changes]
Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
parent d612a04d
...@@ -822,12 +822,15 @@ static int br_nf_dev_queue_xmit(struct sk_buff *skb) ...@@ -822,12 +822,15 @@ static int br_nf_dev_queue_xmit(struct sk_buff *skb)
!skb_is_gso(skb)) { !skb_is_gso(skb)) {
if (br_parse_ip_options(skb)) if (br_parse_ip_options(skb))
/* Drop invalid packet */ /* Drop invalid packet */
return NF_DROP; goto drop;
ret = ip_fragment(skb, br_dev_queue_push_xmit); ret = ip_fragment(skb, br_dev_queue_push_xmit);
} else } else
ret = br_dev_queue_push_xmit(skb); ret = br_dev_queue_push_xmit(skb);
return ret; return ret;
drop:
kfree_skb(skb);
return 0;
} }
#else #else
static int br_nf_dev_queue_xmit(struct sk_buff *skb) static int br_nf_dev_queue_xmit(struct sk_buff *skb)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment