From: Florian Westphal <fw@strlen.de>
Date: Tue, 30 Jun 2015 20:27:51 +0000 (+0200)
Subject: netfilter: bridge: don't leak skb in error paths
X-Git-Tag: v3.2.71~45
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f17199d80d11c26da96b1de81c8f7806ed7304f6;p=pandora-kernel.git

netfilter: bridge: don't leak skb in error paths

commit dd302b59bde0149c20df7278c0d36c765e66afbd upstream.

br_nf_dev_queue_xmit must free skb in its error path.
NF_DROP is misleading -- its an okfn, not a netfilter hook.

Fixes: 462fb2af9788a ("bridge : Sanitize skb before it enters the IP stack")
Fixes: efb6de9b4ba00 ("netfilter: bridge: forward IPv6 fragmented packets")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
[bwh: Backported to 3.2:
 - Adjust filename
 - Drop IPv6 changes]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---

diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index 7c1745d3b4b6..6cdd3af8fa02 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -822,12 +822,15 @@ static int br_nf_dev_queue_xmit(struct sk_buff *skb)
 	    !skb_is_gso(skb)) {
 		if (br_parse_ip_options(skb))
 			/* Drop invalid packet */
-			return NF_DROP;
+			goto drop;
 		ret = ip_fragment(skb, br_dev_queue_push_xmit);
 	} else
 		ret = br_dev_queue_push_xmit(skb);
 
 	return ret;
+ drop:
+	kfree_skb(skb);
+	return 0;
 }
 #else
 static int br_nf_dev_queue_xmit(struct sk_buff *skb)