ipq_enqueue_packet sets status=-EINVAL and calls
ipq_build_packet_message(entry, &status). This can
set status=0 while returning an skb. The next line:
if (!peer_pid)
goto err_out_free_nskb;
which wrongly returns success.
Signed-off-by: Krishna Kumar <krkumar2@xxxxxxxxxx>
---
net/ipv4/netfilter/ip_queue.c | 6 ++++--
net/ipv6/netfilter/ip6_queue.c | 6 ++++--
2 files changed, 8 insertions(+), 4 deletions(-)
diff -ruNp org/net/ipv4/netfilter/ip_queue.c new/net/ipv4/netfilter/ip_queue.c
--- org/net/ipv4/netfilter/ip_queue.c 2012-04-23 08:28:23.000000000 +0530
+++ new/net/ipv4/netfilter/ip_queue.c 2012-05-02 11:28:33.899790397 +0530
@@ -227,7 +227,7 @@ nlmsg_failure:
static int
ipq_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum)
{
- int status = -EINVAL;
+ int status;
struct sk_buff *nskb;
if (copy_mode == IPQ_COPY_NONE)
@@ -239,8 +239,10 @@ ipq_enqueue_packet(struct nf_queue_entry
spin_lock_bh(&queue_lock);
- if (!peer_pid)
+ if (!peer_pid) {
+ status = -EINVAL;
goto err_out_free_nskb;
+ }
if (queue_total >= queue_maxlen) {
queue_dropped++;
diff -ruNp org/net/ipv6/netfilter/ip6_queue.c new/net/ipv6/netfilter/ip6_queue.c
--- org/net/ipv6/netfilter/ip6_queue.c 2012-04-23 08:28:23.000000000 +0530
+++ new/net/ipv6/netfilter/ip6_queue.c 2012-05-02 11:30:21.199578311 +0530
@@ -227,7 +227,7 @@ nlmsg_failure:
static int
ipq_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum)
{
- int status = -EINVAL;
+ int status;
struct sk_buff *nskb;
if (copy_mode == IPQ_COPY_NONE)
@@ -239,8 +239,10 @@ ipq_enqueue_packet(struct nf_queue_entry
spin_lock_bh(&queue_lock);
- if (!peer_pid)
+ if (!peer_pid) {
+ status = -EINVAL;
goto err_out_free_nskb;
+ }
if (queue_total >= queue_maxlen) {
queue_dropped++;
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
