From: Florian Westphal <fw@strlen.de>
Date: Tue, 30 Aug 2011 13:01:20 +0000 (+0200)
Subject: netfilter: nf_queue: reject NF_STOLEN verdicts from userspace
X-Git-Tag: v3.1-rc7~25^2~12^2~5^2~4
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c6675233f9015d3c0460c8aab53ed9b99d915c64;p=pandora-kernel.git

netfilter: nf_queue: reject NF_STOLEN verdicts from userspace

A userspace listener may send (bogus) NF_STOLEN verdict, which causes skb leak.

This problem was previously fixed via
64507fdbc29c3a622180378210ecea8659b14e40 (netfilter:
nf_queue: fix NF_STOLEN skb leak) but this had to be reverted because
NF_STOLEN can also be returned by a netfilter hook when iterating the
rules in nf_reinject.

Reject userspace NF_STOLEN verdict, as suggested by Michal Miroslaw.

This is complementary to commit fad54440438a7c231a6ae347738423cbabc936d9
(netfilter: avoid double free in nf_reinject).

Cc: Julian Anastasov <ja@ssi.bg>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---

Reading git-diff-tree failed