Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit dd302b59 authored by Florian Westphal's avatar Florian Westphal Committed by Pablo Neira Ayuso
Browse files

netfilter: bridge: don't leak skb in error paths 



br_nf_dev_queue_xmit must free skb in its error path.
NF_DROP is misleading -- its an okfn, not a netfilter hook.

Fixes: 462fb2af ("bridge : Sanitize skb before it enters the IP stack")
Fixes: efb6de9b ("netfilter: bridge: forward IPv6 fragmented packets")
Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 3bd22997

net/bridge/br_netfilter_hooks.c

+8 −4
Original line number Diff line number Diff line
@@ -744,7 +744,7 @@ static int br_nf_dev_queue_xmit(struct sock *sk, struct sk_buff *skb) 
		struct brnf_frag_data *data;



		if (br_validate_ipv4(skb))

			return NF_DROP;

			goto drop;



		IPCB(skb)->frag_max_size = nf_bridge->frag_max_size;
@@ -769,7 +769,7 @@ static int br_nf_dev_queue_xmit(struct sock *sk, struct sk_buff *skb) 
		struct brnf_frag_data *data;



		if (br_validate_ipv6(skb))

			return NF_DROP;

			goto drop;



		IP6CB(skb)->frag_max_size = nf_bridge->frag_max_size;
@@ -784,12 +784,16 @@ static int br_nf_dev_queue_xmit(struct sock *sk, struct sk_buff *skb) 


		if (v6ops)

			return v6ops->fragment(sk, skb, br_nf_push_frag_xmit);

		else



		kfree_skb(skb);

		return -EMSGSIZE;

	}

#endif

	nf_bridge_info_free(skb);

	return br_dev_queue_push_xmit(sk, skb);

 drop:

	kfree_skb(skb);

	return 0;

}



/* PF_BRIDGE/POST_ROUTING ********************************************/