netfilter: nft_meta: fix cgroup matching
authorPablo Neira Ayuso <pablo@netfilter.org>
Fri, 27 Mar 2015 11:14:13 +0000 (12:14 +0100)
committerPablo Neira Ayuso <pablo@netfilter.org>
Wed, 1 Apr 2015 09:33:00 +0000 (11:33 +0200)
commitc5035c77f89364d2da2871d829553bd1a4321940
treed403a5f3f17acf2b1e0dc7946937dc008026072d
parentafb7718016fcb0370ac29a83b2839c78b76c2960
netfilter: nft_meta: fix cgroup matching

We have to stop iterating on the rule expressions if the cgroup
mismatches. Moreover, make sure a non-full socket from the input path
leads us to a crash.

Fixes: ce67417 ("netfilter: nft_meta: add cgroup support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
net/netfilter/nft_meta.c