[NETFILTER]: conntrack_netlink: Fix locking during conntrack_create

The current codepath allowed for ip_conntrack_lock to be unlock'ed twice. Signed-off-by: Pablo Neira <pablo@eurodev.net> Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Pablo Neira <pablo@eurodev.net> 2005-08-09 23:02:55 -0400
committer: David S. Miller <davem@sunset.davemloft.net> 2005-08-29 18:39:05 -0400
commit: 88aa0429048d08c18f2772782588f953bbbd79be (patch)
tree: b8f6cebd9e682882394b92e7e737436b3648e1d7 /net
parent: 94cd2b67641e7ddc2e6ed71d76e00116957423db (diff)
1 files changed, 7 insertions, 6 deletions
diff --git a/net/ipv4/netfilter/ip_conntrack_netlink.c b/net/ipv4/netfilter/ip_conntrack_netlink.c
index 36a046f22105..0ab2d7df6bc4 100644
--- a/net/ipv4/netfilter/ip_conntrack_netlink.c
+++ b/net/ipv4/netfilter/ip_conntrack_netlink.c
@@ -1052,13 +1052,14 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
                err = -ENOENT;
                if (nlh->nlmsg_flags & NLM_F_CREATE)
                        err = ctnetlink_create_conntrack(cda, &otuple, &rtuple);
+                return err;
+        }
+        /* implicit 'else' */
+        /* we only allow nat config for new conntracks */
+        if (cda[CTA_NAT-1]) {
+                err = -EINVAL;
                goto out_unlock;
-        } else {
-                /* we only allow nat config for new conntracks */
-                if (cda[CTA_NAT-1]) {
-                        err = -EINVAL;
-                        goto out_unlock;
-                }
        }
        /* We manipulate the conntrack inside the global conntrack table lock,
author	Pablo Neira <pablo@eurodev.net>	2005-08-09 23:02:55 -0400
committer	David S. Miller <davem@sunset.davemloft.net>	2005-08-29 18:39:05 -0400
commit	88aa0429048d08c18f2772782588f953bbbd79be (patch)
tree	b8f6cebd9e682882394b92e7e737436b3648e1d7 /net
parent	94cd2b67641e7ddc2e6ed71d76e00116957423db (diff)