Commit eda814b9 authored Aug 19, 2020 by Alaa Hleihel Committed by David S. Miller Aug 20, 2020

net/sched: act_ct: Fix skb double-free in tcf_ct_handle_fragments() error flow



tcf_ct_handle_fragments() shouldn't free the skb when ip_defrag() call
fails. Otherwise, we will cause a double-free bug.
In such cases, just return the error to the caller.

Fixes: b57dc7c1 ("net/sched: Introduce action ct")
Signed-off-by: Alaa Hleihel <alaa@mellanox.com>
Reviewed-by: Roi Dayan <roid@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent ab921f3c

net/sched/act_ct.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -704,7 +704,7 @@ static int tcf_ct_handle_fragments(struct net net, struct sk_buff skb,
		err = ip_defrag(net, skb, user);
		local_bh_enable();
		if (err && err != -EINPROGRESS)
		goto out_free;
		return err;

		if (!err) {
		*defrag = true;