netfilter: bridge: don't leak skb in error paths

commit dd302b59bde0149c20df7278c0d36c765e66afbd upstream. br_nf_dev_queue_xmit must free skb in its error path. NF_DROP is misleading -- its an okfn, not a netfilter hook. Fixes: 462fb2af9788a ("bridge : Sanitize skb before it enters the IP stack") Fixes: efb6de9b4ba00 ("netfilter: bridge: forward IPv6 fragmented packets") Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> [bwh: Backported to 3.2: - Adjust filename - Drop IPv6 changes] Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
author: Florian Westphal <fw@strlen.de> 2015-06-30 22:27:51 +0200
committer: Ben Hutchings <ben@decadent.org.uk> 2015-08-12 16:33:19 +0200
commit: f17199d80d11c26da96b1de81c8f7806ed7304f6 (patch)
tree: 2573972742999b721c0d8aca959c6efcc59fa180 /net
parent: d612a04deae8a70636a2fced4fdd0bb94dfb6219 (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index 7c1745d3b4b6..6cdd3af8fa02 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -822,12 +822,15 @@ static int br_nf_dev_queue_xmit(struct sk_buff *skb)
 	    !skb_is_gso(skb)) {
 		if (br_parse_ip_options(skb))
 			/* Drop invalid packet */
-			return NF_DROP;
+			goto drop;
 		ret = ip_fragment(skb, br_dev_queue_push_xmit);
 	} else
 		ret = br_dev_queue_push_xmit(skb);
 
 	return ret;
+ drop:
+	kfree_skb(skb);
+	return 0;
 }
 #else
 static int br_nf_dev_queue_xmit(struct sk_buff *skb)
author	Florian Westphal <fw@strlen.de>	2015-06-30 22:27:51 +0200
committer	Ben Hutchings <ben@decadent.org.uk>	2015-08-12 16:33:19 +0200
commit	f17199d80d11c26da96b1de81c8f7806ed7304f6 (patch)
tree	2573972742999b721c0d8aca959c6efcc59fa180 /net
parent	d612a04deae8a70636a2fced4fdd0bb94dfb6219 (diff)