| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20200901150953.508117152@linuxfoundation.org>
Date: Tue, 1 Sep 2020 17:08:11 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-kernel@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
stable@...r.kernel.org, Alaa Hleihel <alaa@...lanox.com>,
Roi Dayan <roid@...lanox.com>,
"David S. Miller" <davem@...emloft.net>
Subject: [PATCH 5.4 011/214] net/sched: act_ct: Fix skb double-free in tcf_ct_handle_fragments() error flow
From: Alaa Hleihel <alaa@...lanox.com>
[ Upstream commit eda814b97dfb8d9f4808eb2f65af9bd3705c4cae ]
tcf_ct_handle_fragments() shouldn't free the skb when ip_defrag() call
fails. Otherwise, we will cause a double-free bug.
In such cases, just return the error to the caller.
Fixes: b57dc7c13ea9 ("net/sched: Introduce action ct")
Signed-off-by: Alaa Hleihel <alaa@...lanox.com>
Reviewed-by: Roi Dayan <roid@...lanox.com>
Signed-off-by: David S. Miller <davem@...emloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
---
net/sched/act_ct.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/sched/act_ct.c
+++ b/net/sched/act_ct.c
@@ -186,7 +186,7 @@ static int tcf_ct_handle_fragments(struc
memset(IP6CB(skb), 0, sizeof(struct inet6_skb_parm));
err = nf_ct_frag6_gather(net, skb, user);
if (err && err != -EINPROGRESS)
- goto out_free;
+ return err;
#else
err = -EOPNOTSUPP;
goto out_free;
Powered by blists - more mailing lists