netfilter: nft_meta: fix cgroup matching

We have to stop iterating on the rule expressions if the cgroup
mismatches. Moreover, make sure a non-full socket from the input path
leads us to a crash.

Fixes: ce67417 ("netfilter: nft_meta: add cgroup support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
index 5197874..d79ce88 100644 (file)
--- a/net/netfilter/nft_meta.c
+++ b/net/netfilter/nft_meta.c
@@ -166,9 +166,8 @@ void nft_meta_get_eval(const struct nft_expr *expr,
                dest->data[0] = out->group;
                break;
        case NFT_META_CGROUP:
-               if (skb->sk == NULL)
-                       break;
-
+               if (skb->sk == NULL || !sk_fullsock(skb->sk))
+                       goto err;
                dest->data[0] = skb->sk->sk_classid;
                break;
        default: