From: Florian Westphal fw@strlen.de
stable inclusion from stable-v4.19.260 commit 1e98318af2f163eadaff815abcef38d27ca92c1e category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5UQH4 CVE: NA
--------------------------------
[ Upstream commit 62ce44c4fff947eebdf10bb582267e686e6835c9 ]
The bug fix was incomplete, it "replaced" crash with a memory leak. The old code had an assignment to "ret" embedded into the conditional, restore this.
Fixes: 7997eff82828 ("netfilter: ebtables: reject blobs that don't provide all entry points") Reported-and-tested-by: syzbot+a24c5252f3e3ab733464@syzkaller.appspotmail.com Signed-off-by: Florian Westphal fw@strlen.de Signed-off-by: Sasha Levin sashal@kernel.org Signed-off-by: Xu Jia xujia39@huawei.com Reviewed-by: Wei Yongjun weiyongjun1@huawei.com Signed-off-by: Yongqiang Liu liuyongqiang13@huawei.com --- net/bridge/netfilter/ebtables.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c index ea27bacbd005..59d8974ee92b 100644 --- a/net/bridge/netfilter/ebtables.c +++ b/net/bridge/netfilter/ebtables.c @@ -1003,8 +1003,10 @@ static int do_replace_finish(struct net *net, struct ebt_replace *repl, goto free_iterate; }
- if (repl->valid_hooks != t->valid_hooks) + if (repl->valid_hooks != t->valid_hooks) { + ret = -EINVAL; goto free_unlock; + }
if (repl->num_counters && repl->num_counters != t->private->nentries) { ret = -EINVAL;