[PATCH] net/sched: act_ct: fix skb leak on fragment check failure

public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed

From: Dudu Lu <phx0fer@gmail.com>
To: netdev@vger.kernel.org
Cc: jhs@mojatatu.com, jiri@resnulli.us, Dudu Lu <phx0fer@gmail.com>
Subject: [PATCH] net/sched: act_ct: fix skb leak on fragment check failure
Date: Mon, 13 Apr 2026 16:46:09 +0800	[thread overview]
Message-ID: <20260413084609.69560-1-phx0fer@gmail.com> (raw)

tcf_ct_handle_fragments() returns TC_ACT_CONSUMED when
tcf_ct_ipv4/6_is_fragment() fails. This causes the caller to
believe the skb was consumed, but it was not freed. Each
malformed fragment leaks one skb, leading to OOM DoS under
sustained traffic.

Change the return value to TC_ACT_SHOT so the skb is properly
freed by the caller.

Fixes: b57dc7c13ea9 ("net/sched: Introduce action ct")
Signed-off-by: Dudu Lu <phx0fer@gmail.com>
---
 net/sched/act_ct.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c
index 7d5e50c921a0..870655f682bd 100644
--- a/net/sched/act_ct.c
+++ b/net/sched/act_ct.c
@@ -1107,8 +1107,10 @@ TC_INDIRECT_SCOPE int tcf_ct_act(struct sk_buff *skb, const struct tc_action *a,
 	return retval;
 
 out_frag:
-	if (err != -EINPROGRESS)
+	if (err != -EINPROGRESS) {
 		tcf_action_inc_drop_qstats(&c->common);
+		return TC_ACT_SHOT;
+	}
 	return TC_ACT_CONSUMED;
 
 drop:
-- 
2.39.3 (Apple Git-145)

next             reply	other threads:[~2026-04-13  8:46 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-13  8:46 Dudu Lu [this message]
2026-04-15 14:10 ` [PATCH] net/sched: act_ct: fix skb leak on fragment check failure Simon Horman

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:7d5e50c921a dfblob:870655f682b )
 OR (
bs:"[PATCH] net/sched: act_ct: fix skb leak on fragment check failure" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260413084609.69560-1-phx0fer@gmail.com \
    --to=phx0fer@gmail.com \
    --cc=jhs@mojatatu.com \
    --cc=jiri@resnulli.us \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox