netfilter: check if the socket netns is correct.

[linux.git] / net / netfilter / xt_cgroup.c

diff --git a/net/netfilter/xt_cgroup.c b/net/netfilter/xt_cgroup.c
index 7df2dece57d30f6c4e921cf3eeff40f5319b672a..5d92e178198088b85d040473f909aa9eab78c18e 100644 (file)
--- a/net/netfilter/xt_cgroup.c
+++ b/net/netfilter/xt_cgroup.c
@@ -72,8 +72,9 @@ static bool
 cgroup_mt_v0(const struct sk_buff *skb, struct xt_action_param *par)
 {
        const struct xt_cgroup_info_v0 *info = par->matchinfo;
+       struct sock *sk = skb->sk;
 
-       if (skb->sk == NULL || !sk_fullsock(skb->sk))
+       if (!sk || !sk_fullsock(sk) || !net_eq(xt_net(par), sock_net(sk)))
                return false;
 
        return (info->id == sock_cgroup_classid(&skb->sk->sk_cgrp_data)) ^
@@ -85,8 +86,9 @@ static bool cgroup_mt_v1(const struct sk_buff *skb, struct xt_action_param *par)
        const struct xt_cgroup_info_v1 *info = par->matchinfo;
        struct sock_cgroup_data *skcd = &skb->sk->sk_cgrp_data;
        struct cgroup *ancestor = info->priv;
+       struct sock *sk = skb->sk;
 
-       if (!skb->sk || !sk_fullsock(skb->sk))
+       if (!sk || !sk_fullsock(sk) || !net_eq(xt_net(par), sock_net(sk)))
                return false;
 
        if (ancestor)