Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp3298731ybb;
        Tue, 31 Mar 2020 02:22:53 -0700 (PDT)
X-Google-Smtp-Source: ADFU+vtvd0prtQQfR8srBzXD+V/Yjb+AGrSQXRdt1aclW4YuxOj62p5ckBKuFZ+UxTotU8ZOTdV1
X-Received: by 2002:aca:c596:: with SMTP id v144mr1453575oif.136.1585646573737;
        Tue, 31 Mar 2020 02:22:53 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1585646573; cv=none;
        d=google.com; s=arc-20160816;
        b=oLQyQNtglIoRXYfnTY5doQekiCxV5jOqwE5iYbd3bKXZSX6RHNiq5QCD2yGuNHVrZj
         T/lcwcH8JM5v6TUm0mceO3EZEq4vkAmPaNjLAlX/qiUqoTIZv7pUUiXSQiG48QdVxmh8
         nu36zsywMtEB0/fwmnePVtW91TCLuwYJHwJ1zPaPiRG1iMizbxEJI+IRokl7WqLIOwIJ
         KJ5cxUXw9TYrBKG1q5vNbGnYhQdTn4sv4mrJ7TmDx+99AP2ftpqOXfpL5rxJvLsQO0aj
         jmtdvw2xwzw/DcusHTNDZD8OOxIUvtkk6DtAkZimhLv8PqgtUjbOL1W8DpWJoevN3pz+
         mypg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=1xUSJkWW1lCYgrPbBq+kNR+xedQInTxWXjCc9A3dP/s=;
        b=Bdp+rQ2T8nt/A9ilXk9b1+X8KzCrJDya5c3bJmOr+PumN1CTf+XaFJ9yN2TuVsi5nO
         nuV5TcozvgJaL2+gga5eIFQ1ipgilp4iPQLD56PyTreu8dWHm8EHnkilOh6JNeSH1C3D
         abqQ5aX3T6OHHKHY0X1u1M/ElP4pHmLV3cEhdkCVqys79TU1r6xXZPV4zUA+eqz8WJLI
         8fMHUFwsbbpyIEc5dZqejxZrsjY6uQKEuf89oEulc+Q63lHbcySnaMC6OWjO2cf+nCuM
         qZd0+yj0nzJpa0uNawzTyuAabN0W06Qf0nAfxHEf8JzVsAyVLMlkEq2PqX6LA57tDZSh
         tZeg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=PEs9q1Qi;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id k30si467296ool.81.2020.03.31.02.22.41;
        Tue, 31 Mar 2020 02:22:53 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=PEs9q1Qi;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1731352AbgCaJIw (ORCPT <rfc822;rafael.sjavar@gmail.com>
        + 99 others); Tue, 31 Mar 2020 05:08:52 -0400
Received: from mail.kernel.org ([198.145.29.99]:51528 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1731393AbgCaJIs (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 31 Mar 2020 05:08:48 -0400
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 1F5D8208E0;
        Tue, 31 Mar 2020 09:08:47 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1585645728;
        bh=An0gNQn7YMvXnKeG9BQYZZh6VW6cJv6Egsntd0dEeoc=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=PEs9q1QiX3rVlzSwo+hWBP/nNXtA2K/KHGKwn11KS70Cf59UNatbWN1HBev1gilrS
         8R/NwA+p5aRWSP9ClH6E4DPCHDh64GG0zCQp60wuawHYZZWVLEEAMrpnrP0UaW3iqy
         LQVtKmk0lgedDcgBVOtztK+lWFMtDLbtE43JR3RY=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        Torsten Hilbrich <torsten.hilbrich@secunet.com>,
        Nicolas Dichtel <nicolas.dichtel@6wind.com>,
        Steffen Klassert <steffen.klassert@secunet.com>
Subject: [PATCH 5.5 145/170] vti6: Fix memory leak of skb if input policy check fails
Date:   Tue, 31 Mar 2020 10:59:19 +0200
Message-Id: <20200331085438.755549356@linuxfoundation.org>
X-Mailer: git-send-email 2.26.0
In-Reply-To: <20200331085423.990189598@linuxfoundation.org>
References: <20200331085423.990189598@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Torsten Hilbrich <torsten.hilbrich@secunet.com>

commit 2a9de3af21aa8c31cd68b0b39330d69f8c1e59df upstream.

The vti6_rcv function performs some tests on the retrieved tunnel
including checking the IP protocol, the XFRM input policy, the
source and destination address.

In all but one places the skb is released in the error case. When
the input policy check fails the network packet is leaked.

Using the same goto-label discard in this case to fix this problem.

Fixes: ed1efb2aefbb ("ipv6: Add support for IPsec virtual tunnel interfaces")
Signed-off-by: Torsten Hilbrich <torsten.hilbrich@secunet.com>
Reviewed-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/ipv6/ip6_vti.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -311,7 +311,7 @@ static int vti6_rcv(struct sk_buff *skb)
 
 		if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) {
 			rcu_read_unlock();
-			return 0;
+			goto discard;
 		}
 
 		ipv6h = ipv6_hdr(skb);