net/sched: act_ct: Fix skb double-free in tcf_ct_handle_fragments() error flow

tcf_ct_handle_fragments() shouldn't free the skb when ip_defrag() call
fails. Otherwise, we will cause a double-free bug.
In such cases, just return the error to the caller.

Fixes: b57dc7c13e ("net/sched: Introduce action ct")
Signed-off-by: Alaa Hleihel <alaa@mellanox.com>
Reviewed-by: Roi Dayan <roid@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Alaa Hleihel 2020-08-19 18:24:10 +03:00 committed by David S. Miller
parent ab921f3cdb
commit eda814b97d

View File

@ -704,7 +704,7 @@ static int tcf_ct_handle_fragments(struct net *net, struct sk_buff *skb,
err = ip_defrag(net, skb, user);
local_bh_enable();
if (err && err != -EINPROGRESS)
goto out_free;
return err;
if (!err) {
*defrag = true;