diff options
author | Florian Westphal <fw@strlen.de> | 2022-02-28 08:22:22 +0300 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2022-03-01 13:50:35 +0300 |
commit | c3873070247d9e3c7a6b0cf9bf9b45e8018427b1 (patch) | |
tree | da192a08d0f995eaa2854d5033279ace339f2bcf /net/netfilter/nfnetlink_queue.c | |
parent | 2e78855d311c401083df9776aa450d32d716e83e (diff) | |
download | linux-c3873070247d9e3c7a6b0cf9bf9b45e8018427b1.tar.xz |
netfilter: nf_queue: fix possible use-after-free
Eric Dumazet says:
The sock_hold() side seems suspect, because there is no guarantee
that sk_refcnt is not already 0.
On failure, we cannot queue the packet and need to indicate an
error. The packet will be dropped by the caller.
v2: split skb prefetch hunk into separate change
Fixes: 271b72c7fa82c ("udp: RCU handling for Unicast packets.")
Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'net/netfilter/nfnetlink_queue.c')
-rw-r--r-- | net/netfilter/nfnetlink_queue.c | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index ea2d9c2a44cf..64a6acb6aeae 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c @@ -710,9 +710,15 @@ static struct nf_queue_entry * nf_queue_entry_dup(struct nf_queue_entry *e) { struct nf_queue_entry *entry = kmemdup(e, e->size, GFP_ATOMIC); - if (entry) - nf_queue_entry_get_refs(entry); - return entry; + + if (!entry) + return NULL; + + if (nf_queue_entry_get_refs(entry)) + return entry; + + kfree(entry); + return NULL; } #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER) |