bugzilla-daemon@netfilter.org
2003-Apr-25 08:33 UTC
[Bug 86] New: using freed skb in nf_reinject
https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=86
Summary: using freed skb in nf_reinject
Product: netfilter/iptables
Version: unspecified
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: netfilter hooks
AssignedTo: laforge@netfilter.org
ReportedBy: mszeredi@inf.bme.hu
CC: netfilter-buglog@lists.netfilter.org
In net/core/netfilter.c in nf_reinject() the bridge device release stuff looks
bogus, since it operates on the possibly freed skb:
case NF_DROP:
kfree_skb(skb);
break;
}
br_read_unlock_bh(BR_NETPROTO_LOCK);
/* Release those devices we held, or Alexey will kill me. */
if (info->indev) dev_put(info->indev);
if (info->outdev) dev_put(info->outdev);
#if defined(CONFIG_BRIDGE) || defined(CONFIG_BRIDGE_MODULE)
if (skb->nf_bridge) {
if (skb->nf_bridge->physindev)
dev_put(skb->nf_bridge->physindev);
if (skb->nf_bridge->physoutdev)
dev_put(skb->nf_bridge->physoutdev);
}
#endif
kfree(info);
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.