From 04292a76b0813373529d74deccdf35d35fdba3b2 Mon Sep 17 00:00:00 2001
From: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Date: Tue, 26 Nov 2024 11:08:49 +0200
Subject: [PATCH 1/2] net: ethernet: bridge: Avoid null pointer access

If the packet cloning failed, bail out in order to avoid
null pointer access.

Fixes #81992
Coverity-CID: 434493

Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
(cherry picked from commit ed0dcca2fb5006f4009633728ec7409ac08a219c)
---
 subsys/net/l2/ethernet/bridge.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/subsys/net/l2/ethernet/bridge.c b/subsys/net/l2/ethernet/bridge.c
index d497acc683397..905914a909de1 100644
--- a/subsys/net/l2/ethernet/bridge.c
+++ b/subsys/net/l2/ethernet/bridge.c
@@ -372,6 +372,11 @@ static enum net_verdict bridge_iface_process(struct net_if *iface,
 			 */
 			if (count > 2) {
 				send_pkt = net_pkt_clone(pkt, K_NO_WAIT);
+				if (send_pkt == NULL) {
+					NET_DBG("DROP: clone failed");
+					break;
+				}
+
 				net_pkt_ref(send_pkt);
 			} else {
 				send_pkt = net_pkt_ref(pkt);

From c4f2e2ca5a716ca516204e18a2072ff3e9ba44f3 Mon Sep 17 00:00:00 2001
From: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Date: Tue, 26 Nov 2024 13:25:52 +0200
Subject: [PATCH 2/2] net: ethernet: bridge: Drop the cloned packet in error

We need to drop the cloned packet that was fed to the bridge instead of
returning directly from the function. Without this change we have a
buffer leak.

Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
(cherry picked from commit c6a1af5c17287414055f587ae01719f4faee358b)
---
 subsys/net/l2/ethernet/bridge.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/subsys/net/l2/ethernet/bridge.c b/subsys/net/l2/ethernet/bridge.c
index 905914a909de1..4b883643c3a3f 100644
--- a/subsys/net/l2/ethernet/bridge.c
+++ b/subsys/net/l2/ethernet/bridge.c
@@ -345,7 +345,7 @@ static enum net_verdict bridge_iface_process(struct net_if *iface,
 	/* Drop all link-local packets for now. */
 	if (is_link_local_addr((struct net_eth_addr *)net_pkt_lladdr_dst(pkt))) {
 		NET_DBG("DROP: lladdr");
-		return NET_DROP;
+		goto out;
 	}
 
 	lock_bridge(ctx);
@@ -397,11 +397,11 @@ static enum net_verdict bridge_iface_process(struct net_if *iface,
 
 	unlock_bridge(ctx);
 
+out:
 	/* The packet was cloned by the caller so remove it here. */
 	net_pkt_unref(pkt);
 
 	return NET_OK;
-
 }
 
 int bridge_iface_send(struct net_if *iface, struct net_pkt *pkt)