Message ID | 20190619170547.6290-1-christian@brauner.io |
---|---|
State | Awaiting Upstream |
Delegated to: | David Miller |
Headers | show |
Series | [net-next] br_netfilter: prevent UAF in brnf_exit_net() | expand |
On Wed, Jun 19, 2019 at 07:05:47PM +0200, Christian Brauner wrote:
> Prevent a UAF in brnf_exit_net().
Applied, thanks.
diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c index fd9e991c1189..d3f9592f4ff8 100644 --- a/net/bridge/br_netfilter_hooks.c +++ b/net/bridge/br_netfilter_hooks.c @@ -1116,9 +1116,11 @@ static int br_netfilter_sysctl_init_net(struct net *net) static void br_netfilter_sysctl_exit_net(struct net *net, struct brnf_net *brnet) { + struct ctl_table *table = brnet->ctl_hdr->ctl_table_arg; + unregister_net_sysctl_table(brnet->ctl_hdr); if (!net_eq(net, &init_net)) - kfree(brnet->ctl_hdr->ctl_table_arg); + kfree(table); } static int __net_init brnf_init_net(struct net *net)