Commit f1ba8375 authored Mar 08, 2026 by Hyunwoo Kim Committed by Florian Westphal Mar 10, 2026

netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path

nfqnl_recv_verdict() calls find_dequeue_entry() to remove the queue
entry from the queue data structures, taking ownership of the entry.
For PF_BRIDGE packets, it then calls nfqa_parse_bridge() to parse VLAN
attributes. If nfqa_parse_bridge() returns an error (e.g. NFQA_VLAN
present but NFQA_VLAN_TCI missing), the function returns immediately
without freeing the dequeued entry or its sk_buff.

This leaks the nf_queue_entry, its associated sk_buff, and all held
references (net_device refcounts, struct net refcount). Repeated
triggering exhausts kernel memory.

Fix this by dropping the entry via nfqnl_reinject() with NF_DROP verdict
on the error path, consistent with other error handling in this file.

Fixes: 8d45ff22 ("netfilter: bridge: nf queue verdict to use NFQA_VLAN and NFQA_L2HDR")
Reviewed-by: David Dull <monderasdor@gmail.com>
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>

parent cfe77022

net/netfilter/nfnetlink_queue.c

+3 −1

Original line number	Diff line number	Diff line
		@@ -1546,9 +1546,11 @@ static int nfqnl_recv_verdict(struct sk_buff skb, const struct nfnl_info info,

		if (entry->state.pf == PF_BRIDGE) {
		err = nfqa_parse_bridge(entry, nfqa);
		if (err < 0)
		if (err < 0) {
		nfqnl_reinject(entry, NF_DROP);
		return err;
		}
		}

		if (nfqa[NFQA_PAYLOAD]) {
		u16 payload_len = nla_len(nfqa[NFQA_PAYLOAD]);