linux/net/bridge
Patrick McHardy 2dc2f207fb [NETFILTER]: bridge-netfilter: fix net_device refcnt leaks
When packets are flood-forwarded to multiple output devices, the
bridge-netfilter code reuses skb->nf_bridge for each clone to store
the bridge port. When queueing packets using NFQUEUE netfilter takes
a reference to skb->nf_bridge->physoutdev, which is overwritten
when the packet is forwarded to the second port. This causes
refcount unterflows for the first device and refcount leaks for all
others. Additionally this provides incorrect data to the iptables
physdev match.

Unshare skb->nf_bridge by copying it if it is shared before assigning
the physoutdev device.

Reported, tested and based on initial patch by
Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-20 20:31:41 -08:00
..
netfilter [BRIDGE]: Properly dereference the br_should_route_hook 2007-11-29 23:58:58 +11:00
br_device.c [BRIDGE]: Assign random address. 2007-12-16 13:35:51 -08:00
br_fdb.c [BRIDGE]: Section fix. 2007-12-07 01:05:53 -08:00
br_forward.c [BRIDGE]: Kill clone argument to br_flood_* 2007-09-16 16:20:48 -07:00
br_if.c [NET]: Make the device list and device lookups per namespace. 2007-10-10 16:49:10 -07:00
br_input.c [BRIDGE]: Properly dereference the br_should_route_hook 2007-11-29 23:58:58 +11:00
br_ioctl.c [NET]: Make the device list and device lookups per namespace. 2007-10-10 16:49:10 -07:00
br_netfilter.c [NETFILTER]: bridge-netfilter: fix net_device refcnt leaks 2008-01-20 20:31:41 -08:00
br_netlink.c [NET]: Make the device list and device lookups per namespace. 2007-10-10 16:49:10 -07:00
br_notify.c [NET]: Make device event notification network namespace safe 2007-10-10 16:49:09 -07:00
br_private_stp.h
br_private.h [NET]: Make the device list and device lookups per namespace. 2007-10-10 16:49:10 -07:00
br_stp_bpdu.c [NET]: Make packet reception network namespace safe 2007-10-10 16:49:08 -07:00
br_stp_if.c
br_stp_timer.c
br_stp.c
br_sysfs_br.c kobjects: fix up improper use of the kobject name field 2007-10-12 14:51:02 -07:00
br_sysfs_if.c
br.c [BRIDGE]: Lost call to br_fdb_fini() in br_init() error path 2007-11-29 23:41:43 +11:00
Kconfig
Makefile