Skip to content

Commit

Permalink
bridge: vlan: Prevent possible use-after-free
Browse files Browse the repository at this point in the history 
When adding a port to a bridge we initialize VLAN filtering on it. We do
not bail out in case an error occurred in nbp_vlan_init, as it can be
used as a non VLAN filtering bridge.

However, if VLAN filtering is required and an error occurred in
nbp_vlan_init, we should set vlgrp to NULL, so that VLAN filtering
functions (e.g. br_vlan_find, br_get_pvid) will know the struct is
invalid and will not try to access it.

Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
  • Loading branch information
Ido Schimmel authored and David S. Miller committed Nov 2, 2015
1 parent ce10500 commit 07bc588
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions net/bridge/br_vlan.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -914,6 +914,8 @@ int nbp_vlan_init(struct net_bridge_port *p)
return ret;

err_vlan_add:
RCU_INIT_POINTER(p->vlgrp, NULL);
synchronize_rcu();
rhashtable_destroy(&vg->vlan_hash);
err_rhtbl:
kfree(vg);
Expand Down

0 comments on commit 07bc588

Please sign in to comment.