On 11/19/2014 09:07 PM, Pablo Neira Ayuso wrote:
> On Wed, Nov 19, 2014 at 11:07:32AM +0800, Gao feng wrote:
>> diff --git a/include/linux/netfilter_bridge.h b/include/linux/netfilter_bridge.h
>> index c755e49..dca7337 100644
>> --- a/include/linux/netfilter_bridge.h
>> +++ b/include/linux/netfilter_bridge.h
>> @@ -81,14 +81,64 @@ static inline unsigned int nf_bridge_mtu_reduction(const struct sk_buff *skb)
>> return 0;
>> }
>>
>> +static inline struct nf_bridge_info *nf_bridge_alloc(struct sk_buff *skb)
>> +{
>> + skb->nf_bridge = kzalloc(sizeof(struct nf_bridge_info), GFP_ATOMIC);
>> + if (likely(skb->nf_bridge))
>> + atomic_set(&(skb->nf_bridge->use), 1);
>> +
>> + return skb->nf_bridge;
>> +}
>> +
>> +static inline struct nf_bridge_info *nf_bridge_unshare(struct sk_buff *skb)
>> +{
>> + struct nf_bridge_info *nf_bridge = skb->nf_bridge;
>> +
>> + if (atomic_read(&nf_bridge->use) > 1) {
>> + struct nf_bridge_info *tmp = nf_bridge_alloc(skb);
>
> nf_bridge_alloc() overwrites the original skb->nf_bridge when
> unsharing, so this leaks and likely breaks other things.
>
overwrite is what we expected, we store the original nfbridge in the var
nf_bridge, copy the original to the new. and release the reference of original
nfbridge. I cannot find anything wrong.
>> +
>> + if (tmp) {
>> + memcpy(tmp, nf_bridge, sizeof(struct nf_bridge_info));
>> + atomic_set(&tmp->use, 1);
>> + }
>> + nf_bridge_put(nf_bridge);
>> + nf_bridge = tmp;
>> + }
>> + return nf_bridge;
>> +}
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
