提交 0f81eb4d 编写于 作者: H Harald Welte 提交者: Arnaldo Carvalho de Melo

[NETFILTER]: Fix double free after netlink_unicast() in ctnetlink

It's not necessary to free skb if netlink_unicast() failed.
Signed-off-by: NYasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: NHarald Welte <laforge@netfilter.org>
Signed-off-by: NArnaldo Carvalho de Melo <acme@mandriva.com>
上级 d2a7bb71
...@@ -815,7 +815,7 @@ ctnetlink_get_conntrack(struct sock *ctnl, struct sk_buff *skb, ...@@ -815,7 +815,7 @@ ctnetlink_get_conntrack(struct sock *ctnl, struct sk_buff *skb,
IPCTNL_MSG_CT_NEW, 1, ct); IPCTNL_MSG_CT_NEW, 1, ct);
ip_conntrack_put(ct); ip_conntrack_put(ct);
if (err <= 0) if (err <= 0)
goto out; goto free;
err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT); err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT);
if (err < 0) if (err < 0)
...@@ -824,9 +824,9 @@ ctnetlink_get_conntrack(struct sock *ctnl, struct sk_buff *skb, ...@@ -824,9 +824,9 @@ ctnetlink_get_conntrack(struct sock *ctnl, struct sk_buff *skb,
DEBUGP("leaving\n"); DEBUGP("leaving\n");
return 0; return 0;
free:
kfree_skb(skb2);
out: out:
if (skb2)
kfree_skb(skb2);
return -1; return -1;
} }
...@@ -1322,21 +1322,16 @@ ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb, ...@@ -1322,21 +1322,16 @@ ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb,
nlh->nlmsg_seq, IPCTNL_MSG_EXP_NEW, nlh->nlmsg_seq, IPCTNL_MSG_EXP_NEW,
1, exp); 1, exp);
if (err <= 0) if (err <= 0)
goto out; goto free;
ip_conntrack_expect_put(exp); ip_conntrack_expect_put(exp);
err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT); return netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT);
if (err < 0)
goto free;
return err;
free:
kfree_skb(skb2);
out: out:
ip_conntrack_expect_put(exp); ip_conntrack_expect_put(exp);
free:
if (skb2)
kfree_skb(skb2);
return err; return err;
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册