diff options
| -rw-r--r-- | net/ipv4/netfilter/ip_queue.c | 12 | ||||
| -rw-r--r-- | net/ipv6/netfilter/ip6_queue.c | 10 | ||||
| -rw-r--r-- | net/netfilter/nfnetlink_queue.c | 10 |
3 files changed, 19 insertions, 13 deletions
diff --git a/net/ipv4/netfilter/ip_queue.c b/net/ipv4/netfilter/ip_queue.c index 6bda1102851..fe05da41d6b 100644 --- a/net/ipv4/netfilter/ip_queue.c +++ b/net/ipv4/netfilter/ip_queue.c | |||
| @@ -283,8 +283,8 @@ static int | |||
| 283 | ipq_mangle_ipv4(ipq_verdict_msg_t *v, struct nf_queue_entry *e) | 283 | ipq_mangle_ipv4(ipq_verdict_msg_t *v, struct nf_queue_entry *e) |
| 284 | { | 284 | { |
| 285 | int diff; | 285 | int diff; |
| 286 | int err; | ||
| 287 | struct iphdr *user_iph = (struct iphdr *)v->payload; | 286 | struct iphdr *user_iph = (struct iphdr *)v->payload; |
| 287 | struct sk_buff *nskb; | ||
| 288 | 288 | ||
| 289 | if (v->data_len < sizeof(*user_iph)) | 289 | if (v->data_len < sizeof(*user_iph)) |
| 290 | return 0; | 290 | return 0; |
| @@ -296,14 +296,16 @@ ipq_mangle_ipv4(ipq_verdict_msg_t *v, struct nf_queue_entry *e) | |||
| 296 | if (v->data_len > 0xFFFF) | 296 | if (v->data_len > 0xFFFF) |
| 297 | return -EINVAL; | 297 | return -EINVAL; |
| 298 | if (diff > skb_tailroom(e->skb)) { | 298 | if (diff > skb_tailroom(e->skb)) { |
| 299 | err = pskb_expand_head(e->skb, 0, | 299 | nskb = skb_copy_expand(e->skb, 0, |
| 300 | diff - skb_tailroom(e->skb), | 300 | diff - skb_tailroom(e->skb), |
| 301 | GFP_ATOMIC); | 301 | GFP_ATOMIC); |
| 302 | if (err) { | 302 | if (!nskb) { |
| 303 | printk(KERN_WARNING "ip_queue: error " | 303 | printk(KERN_WARNING "ip_queue: error " |
| 304 | "in mangle, dropping packet: %d\n", -err); | 304 | "in mangle, dropping packet\n"); |
| 305 | return err; | 305 | return -ENOMEM; |
| 306 | } | 306 | } |
| 307 | kfree_skb(e->skb); | ||
| 308 | e->skb = nskb; | ||
| 307 | } | 309 | } |
| 308 | skb_put(e->skb, diff); | 310 | skb_put(e->skb, diff); |
| 309 | } | 311 | } |
diff --git a/net/ipv6/netfilter/ip6_queue.c b/net/ipv6/netfilter/ip6_queue.c index e869916b05f..cc2f9afcf80 100644 --- a/net/ipv6/netfilter/ip6_queue.c +++ b/net/ipv6/netfilter/ip6_queue.c | |||
| @@ -285,8 +285,8 @@ static int | |||
| 285 | ipq_mangle_ipv6(ipq_verdict_msg_t *v, struct nf_queue_entry *e) | 285 | ipq_mangle_ipv6(ipq_verdict_msg_t *v, struct nf_queue_entry *e) |
| 286 | { | 286 | { |
| 287 | int diff; | 287 | int diff; |
| 288 | int err; | ||
| 289 | struct ipv6hdr *user_iph = (struct ipv6hdr *)v->payload; | 288 | struct ipv6hdr *user_iph = (struct ipv6hdr *)v->payload; |
| 289 | struct sk_buff *nskb; | ||
| 290 | 290 | ||
| 291 | if (v->data_len < sizeof(*user_iph)) | 291 | if (v->data_len < sizeof(*user_iph)) |
| 292 | return 0; | 292 | return 0; |
| @@ -298,14 +298,16 @@ ipq_mangle_ipv6(ipq_verdict_msg_t *v, struct nf_queue_entry *e) | |||
| 298 | if (v->data_len > 0xFFFF) | 298 | if (v->data_len > 0xFFFF) |
| 299 | return -EINVAL; | 299 | return -EINVAL; |
| 300 | if (diff > skb_tailroom(e->skb)) { | 300 | if (diff > skb_tailroom(e->skb)) { |
| 301 | err = pskb_expand_head(e->skb, 0, | 301 | nskb = skb_copy_expand(e->skb, 0, |
| 302 | diff - skb_tailroom(e->skb), | 302 | diff - skb_tailroom(e->skb), |
| 303 | GFP_ATOMIC); | 303 | GFP_ATOMIC); |
| 304 | if (err) { | 304 | if (!nskb) { |
| 305 | printk(KERN_WARNING "ip6_queue: OOM " | 305 | printk(KERN_WARNING "ip6_queue: OOM " |
| 306 | "in mangle, dropping packet\n"); | 306 | "in mangle, dropping packet\n"); |
| 307 | return err; | 307 | return -ENOMEM; |
| 308 | } | 308 | } |
| 309 | kfree_skb(e->skb); | ||
| 310 | e->skb = nskb; | ||
| 309 | } | 311 | } |
| 310 | skb_put(e->skb, diff); | 312 | skb_put(e->skb, diff); |
| 311 | } | 313 | } |
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index a48b20fe9cd..0043d3a9f87 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c | |||
| @@ -443,8 +443,8 @@ err_out: | |||
| 443 | static int | 443 | static int |
| 444 | nfqnl_mangle(void *data, int data_len, struct nf_queue_entry *e) | 444 | nfqnl_mangle(void *data, int data_len, struct nf_queue_entry *e) |
| 445 | { | 445 | { |
| 446 | struct sk_buff *nskb; | ||
| 446 | int diff; | 447 | int diff; |
| 447 | int err; | ||
| 448 | 448 | ||
| 449 | diff = data_len - e->skb->len; | 449 | diff = data_len - e->skb->len; |
| 450 | if (diff < 0) { | 450 | if (diff < 0) { |
| @@ -454,14 +454,16 @@ nfqnl_mangle(void *data, int data_len, struct nf_queue_entry *e) | |||
| 454 | if (data_len > 0xFFFF) | 454 | if (data_len > 0xFFFF) |
| 455 | return -EINVAL; | 455 | return -EINVAL; |
| 456 | if (diff > skb_tailroom(e->skb)) { | 456 | if (diff > skb_tailroom(e->skb)) { |
| 457 | err = pskb_expand_head(e->skb, 0, | 457 | nskb = skb_copy_expand(e->skb, 0, |
| 458 | diff - skb_tailroom(e->skb), | 458 | diff - skb_tailroom(e->skb), |
| 459 | GFP_ATOMIC); | 459 | GFP_ATOMIC); |
| 460 | if (err) { | 460 | if (!nskb) { |
| 461 | printk(KERN_WARNING "nf_queue: OOM " | 461 | printk(KERN_WARNING "nf_queue: OOM " |
| 462 | "in mangle, dropping packet\n"); | 462 | "in mangle, dropping packet\n"); |
| 463 | return err; | 463 | return -ENOMEM; |
| 464 | } | 464 | } |
| 465 | kfree_skb(e->skb); | ||
| 466 | e->skb = nskb; | ||
| 465 | } | 467 | } |
| 466 | skb_put(e->skb, diff); | 468 | skb_put(e->skb, diff); |
| 467 | } | 469 | } |