netfilter: bridge: don't leak skb in error paths

commit dd302b59bde0149c20df7278c0d36c765e66afbd upstream.

br_nf_dev_queue_xmit must free skb in its error path.
NF_DROP is misleading -- its an okfn, not a netfilter hook.

Fixes: 462fb2af9788a ("bridge : Sanitize skb before it enters the IP stack")
Fixes: efb6de9b4ba00 ("netfilter: bridge: forward IPv6 fragmented packets")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
[bwh: Backported to 3.2:
 - Adjust filename
 - Drop IPv6 changes]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index 7c1745d..6cdd3af 100644 (file)
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -822,12 +822,15 @@ static int br_nf_dev_queue_xmit(struct sk_buff *skb)
            !skb_is_gso(skb)) {
                if (br_parse_ip_options(skb))
                        /* Drop invalid packet */
-                       return NF_DROP;
+                       goto drop;
                ret = ip_fragment(skb, br_dev_queue_push_xmit);
        } else
                ret = br_dev_queue_push_xmit(skb);
 
        return ret;
+ drop:
+       kfree_skb(skb);
+       return 0;
 }
 #else
 static int br_nf_dev_queue_xmit(struct sk_buff *skb)