netfilter: ebtables: fix memory leak when blob is malformed

stable inclusion
from stable-v4.19.260
commit 1e98318af2f163eadaff815abcef38d27ca92c1e
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I5UQH4
CVE: NA

--------------------------------

[ Upstream commit 62ce44c4 ]

The bug fix was incomplete, it "replaced" crash with a memory leak.
The old code had an assignment to "ret" embedded into the conditional,
restore this.

Fixes: 7997eff8 ("netfilter: ebtables: reject blobs that don't provide all entry points")
Reported-and-tested-by: syzbot+a24c5252f3e3ab733464@syzkaller.appspotmail.com
Signed-off-by: NFlorian Westphal <fw@strlen.de>
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: NXu Jia <xujia39@huawei.com>
Reviewed-by: NWei Yongjun <weiyongjun1@huawei.com>
Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com>

net/bridge/netfilter/ebtables.c

@@ -1003,8 +1003,10 @@ static int do_replace_finish(struct net *net, struct ebt_replace *repl,
 		goto free_iterate;
 	}
 
-	if (repl->valid_hooks != t->valid_hooks)
+	if (repl->valid_hooks != t->valid_hooks) {
+		ret = -EINVAL;
 		goto free_unlock;
+	}
 
 	if (repl->num_counters && repl->num_counters != t->private->nentries) {
 		ret = -EINVAL;