diff options
author | Joe Stringer <joestringer@nicira.com> | 2015-10-25 20:21:48 -0700 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2015-10-27 19:32:14 -0700 |
commit | 74c16618137f1505b0a32dea3ec73a2ef6f8f842 (patch) | |
tree | a85b6a44ec0f5d8d7ae915968ee88250c323a292 /net/openvswitch/conntrack.h | |
parent | c2229fe1430d4e1c70e36520229dd64a87802b20 (diff) | |
download | linux-74c16618137f1505b0a32dea3ec73a2ef6f8f842.tar.bz2 |
openvswitch: Fix double-free on ip_defrag() errors
If ip_defrag() returns an error other than -EINPROGRESS, then the skb is
freed. When handle_fragments() passes this back up to
do_execute_actions(), it will be freed again. Prevent this double free
by never freeing the skb in do_execute_actions() for errors returned by
ovs_ct_execute. Always free it in ovs_ct_execute() error paths instead.
Fixes: 7f8a436eaa2c ("openvswitch: Add conntrack action")
Reported-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/openvswitch/conntrack.h')
-rw-r--r-- | net/openvswitch/conntrack.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/net/openvswitch/conntrack.h b/net/openvswitch/conntrack.h index 82e0dfc66028..a7544f405c16 100644 --- a/net/openvswitch/conntrack.h +++ b/net/openvswitch/conntrack.h @@ -67,6 +67,7 @@ static inline int ovs_ct_execute(struct net *net, struct sk_buff *skb, struct sw_flow_key *key, const struct ovs_conntrack_info *info) { + kfree_skb(skb); return -ENOTSUPP; } |