Skip to content

Commit

Permalink
netfilter: nft_meta: fix cgroup matching
Browse files Browse the repository at this point in the history 
We have to stop iterating on the rule expressions if the cgroup
mismatches. Moreover, make sure a non-full socket from the input path
leads us to a crash.

Fixes: ce67417 ("netfilter: nft_meta: add cgroup support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  • Loading branch information
Pablo Neira Ayuso committed Apr 1, 2015
1 parent afb7718 commit c5035c7
Showing 1 changed file with 2 additions and 3 deletions.
5 changes: 2 additions & 3 deletions net/netfilter/nft_meta.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -166,9 +166,8 @@ void nft_meta_get_eval(const struct nft_expr *expr,
dest->data[0] = out->group;
break;
case NFT_META_CGROUP:
if (skb->sk == NULL)
break;

if (skb->sk == NULL || !sk_fullsock(skb->sk))
goto err;
dest->data[0] = skb->sk->sk_classid;
break;
default:
Expand Down

0 comments on commit c5035c7

Please sign in to comment.