netfilter: nf_queue: fix NF_STOLEN skb leak
Eric Dumazet [Fri, 19 Feb 2010 14:28:38 +0000 (15:28 +0100)]
commit 3bc38712e3a6e059 (handle NF_STOP and unknown verdicts in
nf_reinject) was a partial fix to packet leaks.

If user asks NF_STOLEN status, we must free the skb as well.

Reported-by: Afi Gjermund <afigjermund@gmail.com>
Signed-off-by: Eric DUmazet <eric.dumazet@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

net/netfilter/nf_queue.c

index 3a6fd77..ba095fd 100644 (file)
@@ -265,7 +265,6 @@ void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict)
                local_bh_disable();
                entry->okfn(skb);
                local_bh_enable();
-       case NF_STOLEN:
                break;
        case NF_QUEUE:
                if (!__nf_queue(skb, elem, entry->pf, entry->hook,
@@ -273,6 +272,7 @@ void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict)
                                verdict >> NF_VERDICT_BITS))
                        goto next_hook;
                break;
+       case NF_STOLEN:
        default:
                kfree_skb(skb);
        }