Revision e7c243c925f6d9dcb898504ff24d6650b5cbb3b1 authored by Evgeniy Polyakov on 25 August 2007, 06:36:29 UTC, committed by David S. Miller on 27 August 2007, 01:35:47 UTC
I tried to preserve bridging code as it was before, but logic is quite strange - I think we should free skb on error, since it is already unshared and thus will just leak. Herbert Xu states: > + if ((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL) > + goto out; If this happens it'll be a double-free on skb since we'll return NF_DROP which makes the caller free it too. We could return NF_STOLEN to prevent that but I'm not sure whether that's correct netfilter semantics. Patrick, could you please make a call on this? Patrick McHardy states: NF_STOLEN should work fine here. Signed-off-by: Evgeniy Polyakov <johnpol@2ka.mipt.ru> Signed-off-by: David S. Miller <davem@davemloft.net>
1 parent 7c8347a
seccomp.h
#ifndef _LINUX_SECCOMP_H
#define _LINUX_SECCOMP_H
#ifdef CONFIG_SECCOMP
#include <linux/thread_info.h>
#include <asm/seccomp.h>
typedef struct { int mode; } seccomp_t;
extern void __secure_computing(int);
static inline void secure_computing(int this_syscall)
{
if (unlikely(test_thread_flag(TIF_SECCOMP)))
__secure_computing(this_syscall);
}
extern long prctl_get_seccomp(void);
extern long prctl_set_seccomp(unsigned long);
#else /* CONFIG_SECCOMP */
typedef struct { } seccomp_t;
#define secure_computing(x) do { } while (0)
static inline long prctl_get_seccomp(void)
{
return -EINVAL;
}
static inline long prctl_set_seccomp(unsigned long arg2)
{
return -EINVAL;
}
#endif /* CONFIG_SECCOMP */
#endif /* _LINUX_SECCOMP_H */
Computing file changes ...
