summaryrefslogtreecommitdiff
path: root/net/bridge
diff options
context:
space:
mode:
authorStephen Hemminger <shemminger@osdl.org>2006-08-26 20:28:30 -0700
committerDavid S. Miller <davem@davemloft.net>2006-08-26 20:28:30 -0700
commit3a13813e6effcfad5910d47b15b724621b50b878 (patch)
tree30aaf88578ee23b0a1c0f90e7ee1100244d62415 /net/bridge
parent8dbc16033e35c7443cd56cb5ba308bb19cb7b469 (diff)
downloadlinux-3.10-3a13813e6effcfad5910d47b15b724621b50b878.tar.gz
linux-3.10-3a13813e6effcfad5910d47b15b724621b50b878.tar.bz2
linux-3.10-3a13813e6effcfad5910d47b15b724621b50b878.zip
[BRIDGE] netfilter: memory corruption fix
The bridge-netfilter code will overwrite memory if there is not headroom in the skb to save the header. This first showed up when using Xen with sky2 driver that doesn't allocate the extra space. Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/bridge')
-rw-r--r--net/bridge/br_forward.c10
1 files changed, 7 insertions, 3 deletions
diff --git a/net/bridge/br_forward.c b/net/bridge/br_forward.c
index 6ccd32b3080..864fbbc7b24 100644
--- a/net/bridge/br_forward.c
+++ b/net/bridge/br_forward.c
@@ -40,11 +40,15 @@ int br_dev_queue_push_xmit(struct sk_buff *skb)
else {
#ifdef CONFIG_BRIDGE_NETFILTER
/* ip_refrag calls ip_fragment, doesn't copy the MAC header. */
- nf_bridge_maybe_copy_header(skb);
+ if (nf_bridge_maybe_copy_header(skb))
+ kfree_skb(skb);
+ else
#endif
- skb_push(skb, ETH_HLEN);
+ {
+ skb_push(skb, ETH_HLEN);
- dev_queue_xmit(skb);
+ dev_queue_xmit(skb);
+ }
}
return 0;