From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.7 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7F2C8C2D0E7 for ; Fri, 27 Mar 2020 08:10:18 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 533A120714 for ; Fri, 27 Mar 2020 08:10:18 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726920AbgC0IKR (ORCPT ); Fri, 27 Mar 2020 04:10:17 -0400 Received: from a.mx.secunet.com ([62.96.220.36]:54984 "EHLO a.mx.secunet.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726333AbgC0IKQ (ORCPT ); Fri, 27 Mar 2020 04:10:16 -0400 Received: from localhost (localhost [127.0.0.1]) by a.mx.secunet.com (Postfix) with ESMTP id 3ECAD20519; Fri, 27 Mar 2020 09:10:15 +0100 (CET) X-Virus-Scanned: by secunet Received: from a.mx.secunet.com ([127.0.0.1]) by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 88gfMtr1fl3N; Fri, 27 Mar 2020 09:10:14 +0100 (CET) Received: from cas-essen-01.secunet.de (201.40.53.10.in-addr.arpa [10.53.40.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by a.mx.secunet.com (Postfix) with ESMTPS id AD3AA20538; Fri, 27 Mar 2020 09:10:13 +0100 (CET) Received: from gauss2.secunet.de (10.182.7.193) by cas-essen-01.secunet.de (10.53.40.201) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1979.3; Fri, 27 Mar 2020 09:10:13 +0100 Received: by gauss2.secunet.de (Postfix, from userid 1000) id 2F4933180374; Fri, 27 Mar 2020 09:10:13 +0100 (CET) From: Steffen Klassert To: David Miller CC: Herbert Xu , Steffen Klassert , Subject: [PATCH 7/8] vti6: Fix memory leak of skb if input policy check fails Date: Fri, 27 Mar 2020 09:10:06 +0100 Message-ID: <20200327081007.1185-8-steffen.klassert@secunet.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200327081007.1185-1-steffen.klassert@secunet.com> References: <20200327081007.1185-1-steffen.klassert@secunet.com> MIME-Version: 1.0 Content-Type: text/plain X-ClientProxiedBy: cas-essen-02.secunet.de (10.53.40.202) To cas-essen-01.secunet.de (10.53.40.201) X-EXCLAIMER-MD-CONFIG: 2c86f778-e09b-4440-8b15-867914633a10 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Torsten Hilbrich The vti6_rcv function performs some tests on the retrieved tunnel including checking the IP protocol, the XFRM input policy, the source and destination address. In all but one places the skb is released in the error case. When the input policy check fails the network packet is leaked. Using the same goto-label discard in this case to fix this problem. Fixes: ed1efb2aefbb ("ipv6: Add support for IPsec virtual tunnel interfaces") Signed-off-by: Torsten Hilbrich Reviewed-by: Nicolas Dichtel Signed-off-by: Steffen Klassert --- net/ipv6/ip6_vti.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c index 56e642efefff..cc6180e08a4f 100644 --- a/net/ipv6/ip6_vti.c +++ b/net/ipv6/ip6_vti.c @@ -311,7 +311,7 @@ static int vti6_rcv(struct sk_buff *skb) if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) { rcu_read_unlock(); - return 0; + goto discard; } ipv6h = ipv6_hdr(skb); -- 2.17.1