From: Florian Westphal <fw@strlen.de>
Date: Tue, 20 Sep 2022 12:20:17 +0000 (+0200)
Subject: netfilter: ebtables: fix memory leak when blob is malformed
X-Git-Tag: baikal/aarch64/sdk6.1~3077^2~14^2~1
X-Git-Url: https://git.baikalelectronics.ru/sdk/?a=commitdiff_plain;h=73383c1f40e290c4681d425db8ca30f44f7f05e2;p=kernel.git

netfilter: ebtables: fix memory leak when blob is malformed

The bug fix was incomplete, it "replaced" crash with a memory leak.
The old code had an assignment to "ret" embedded into the conditional,
restore this.

Fixes: d3dd6af1d116 ("netfilter: ebtables: reject blobs that don't provide all entry points")
Reported-and-tested-by: syzbot+a24c5252f3e3ab733464@syzkaller.appspotmail.com
Signed-off-by: Florian Westphal <fw@strlen.de>
---

diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 9a0ae59cdc500..4f385d52a1c49 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1040,8 +1040,10 @@ static int do_replace_finish(struct net *net, struct ebt_replace *repl,
 		goto free_iterate;
 	}
 
-	if (repl->valid_hooks != t->valid_hooks)
+	if (repl->valid_hooks != t->valid_hooks) {
+		ret = -EINVAL;
 		goto free_unlock;
+	}
 
 	if (repl->num_counters && repl->num_counters != t->private->nentries) {
 		ret = -EINVAL;