[Description]

Fix possibly null pointer and memory leak. When skb_headroom(skb) < FOE_INFO_LEN, it means that hnat headroom of the message is incomplete and may have been truncated by other functions. HNAT should return and not relalloc skb. If without the patch, may met NULL pointer and memory leak issue. [Release-log] N/A Change-Id: I490191fa2be5fd1d664b228ef7c97951d0efe036 Reviewed-on: https://gerrit.mediatek.inc/c/openwrt/feeds/mtk_openwrt_feeds/+/7694271
2025-01-09 02:43:53 +08:00 · 2023-07-03 14:53:36 +08:00 · 2023-07-03 14:53:36 +08:00 · 46fcd1ca5b
commit 46fcd1ca5b
parent 1157c56596
1 changed files with 3 additions and 11 deletions
--- a/target/linux/mediatek/files-5.4/drivers/net/ethernet/mediatek/mtk_hnat/hnat_nf_hook.c
+++ b/target/linux/mediatek/files-5.4/drivers/net/ethernet/mediatek/mtk_hnat/hnat_nf_hook.c
@ -2333,28 +2333,20 @@ static unsigned int
 mtk_hnat_ipv4_nf_local_out(void *priv, struct sk_buff *skb,
 			   const struct nf_hook_state *state)
 {
-	struct sk_buff *new_skb;
 	struct foe_entry *entry;
 	struct iphdr *iph;

 	if (!is_magic_tag_valid(skb))
 		return NF_ACCEPT;

+	if (unlikely(skb_headroom(skb) < FOE_INFO_LEN))
+		return NF_ACCEPT;
+
 	if (!skb_hnat_is_hashed(skb))
 		return NF_ACCEPT;

 	entry = &hnat_priv->foe_table_cpu[skb_hnat_ppe(skb)][skb_hnat_entry(skb)];

-	if (unlikely(skb_headroom(skb) < FOE_INFO_LEN)) {
-		new_skb = skb_realloc_headroom(skb, FOE_INFO_LEN);
-		if (!new_skb) {
-			dev_info(hnat_priv->dev, "%s:drop\n", __func__);
-			return NF_DROP;
-		}
-		dev_kfree_skb(skb);
-		skb = new_skb;
-	}
-
 	/* Make the flow from local not be bound. */
 	iph = ip_hdr(skb);
 	if (iph->protocol == IPPROTO_IPV6) {