From b4a90d4a5283cb33b84998adf6cff7236dd0ee78 Mon Sep 17 00:00:00 2001
From: Arne Fitzenreiter <arne_f@ipfire.org>
Date: Mon, 6 Mar 2017 08:50:15 +0100
Subject: [PATCH] netfilter: layer7 fix wrong fuzzy match change

patch has applied one hunk to a wrong place.
This result in double free and crash the kernel.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
---
 net/netfilter/nf_conntrack_core.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 1357a2729a4ba..7cf2b36ca40c0 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -601,6 +601,13 @@ void nf_ct_destroy(struct nf_conntrack *nfct)
 	 */
 	nf_ct_remove_expectations(ct);
 
+#if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE)
+	if(ct->layer7.app_proto)
+		kfree(ct->layer7.app_proto);
+	if(ct->layer7.app_data)
+		kfree(ct->layer7.app_data);
+#endif
+
 	if (ct->master)
 		nf_ct_put(ct->master);
 
-- 
2.47.3