2 files changed, 19 insertions, 5 deletions

diff --git a/include/linux/netfilter_bridge.h b/include/linux/netfilter_bridge.h
index 10c13dc4665b..427c67ff89e9 100644
--- a/include/linux/netfilter_bridge.h
+++ b/include/linux/netfilter_bridge.h
@@ -48,15 +48,25 @@ enum nf_br_hook_priorities {
 
 /* Only used in br_forward.c */
 static inline
-void nf_bridge_maybe_copy_header(struct sk_buff *skb)
+int nf_bridge_maybe_copy_header(struct sk_buff *skb)
 {
+        int err;
+
         if (skb->nf_bridge) {
                 if (skb->protocol == __constant_htons(ETH_P_8021Q)) {
+                        err = skb_cow(skb, 18);
+                        if (err)
+                                return err;
                         memcpy(skb->data - 18, skb->nf_bridge->data, 18);
                         skb_push(skb, 4);
-                } else
+                } else {
+                        err = skb_cow(skb, 16);
+                        if (err)
+                                return err;
                         memcpy(skb->data - 16, skb->nf_bridge->data, 16);
+                }
         }
+        return 0;
 }
 
 /* This is called by the IP fragmenting code and it ensures there is
diff --git a/net/bridge/br_forward.c b/net/bridge/br_forward.c
index 6ccd32b30809..864fbbc7b24d 100644
--- a/net/bridge/br_forward.c
+++ b/net/bridge/br_forward.c
@@ -40,11 +40,15 @@ int br_dev_queue_push_xmit(struct sk_buff *skb)
         else {
 #ifdef CONFIG_BRIDGE_NETFILTER
                 /* ip_refrag calls ip_fragment, doesn't copy the MAC header. */
-                nf_bridge_maybe_copy_header(skb);
+                if (nf_bridge_maybe_copy_header(skb))
+                        kfree_skb(skb);
+                else
 #endif
-                skb_push(skb, ETH_HLEN);
+                {
+                        skb_push(skb, ETH_HLEN);
 
-                dev_queue_xmit(skb);
+                        dev_queue_xmit(skb);
+                }
         }
 
         return 0;