Received: by 2002:a17:90a:1609:0:0:0:0 with SMTP id n9csp830133pja;
        Wed, 1 Apr 2020 09:28:53 -0700 (PDT)
X-Google-Smtp-Source: APiQypKMfXcJrvRGBoA44LQhUovUGfWpbq+fnhFIzfp0XtWjv0yWXvmrKqfBxbDDiJGnXz+Z3oug
X-Received: by 2002:aca:f254:: with SMTP id q81mr3446588oih.12.1585758533084;
        Wed, 01 Apr 2020 09:28:53 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1585758533; cv=none;
        d=google.com; s=arc-20160816;
        b=YYivlrohWmbauFSyTVMKPET9RUnj74PjoRy46ld9RLDisrTo5Ad1b3/WkuSTL8bpVx
         WJ/WpwLV96aRA1BDVc3hpGjLKvq5+Pu4c844I2Bwnt9YwML8pILXBf4tu4xidfjtn/BX
         eOXmM+bH4TfRJRVEZHJqS08QMnEv4sirO/QGbXpPnMWiC+IDNU3Os3vsKWyGdQMOexzw
         W9P1xD6+tOdZz8rlBoNimWUoOBUS5nBUlZ9uYiSM/0QrufDbW5wNF64vY6RcLuZ43dRJ
         PUq2fFQLEZl4ZfrjD0MNp7Fr/KYsHdgwYZk01uaLwT4+h5GWGwkFtuEriwwJuQAvzhqI
         KRzA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=1UbdsDVVMZwLMgNDLc3k+XGeXvj0Lsjjqw4APH8bmrg=;
        b=LinabX9yFuGGJBKa4zbyPyhcqeCywm3O12TDdBj5Y2a1RqWgl6kTosmClYNYDzEycU
         Dkx7YKrmoH5dlQGhuwBmYieQsISKsGd+5GsIVoF29Y0Cu0eSkB+jgVyJiryRTdwJ/tQD
         7aIJL+hNn1exJXC7r74mOkNFEgCDh/ZdbZtD9Gv3onhPcVlpnQd/yLYKsg8gKP3JrWhH
         VGTxdCLcl52z1HxSjLHIE4ogcqjlcHGPvyInrdaAhLfGkc0maBh5WGmyPqLNc5itG94y
         EI3COwhzucNiJtJPmSW2hdM1bJeYm7hESOapv8eHZU+bX1v4oBXu6GT0OHAIxPvQnSqp
         hesQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b="VsZj9Z/F";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id g129si1067551oob.1.2020.04.01.09.28.40;
        Wed, 01 Apr 2020 09:28:53 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b="VsZj9Z/F";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2387915AbgDAQ0i (ORCPT <rfc822;jaegeuk-test@gmail.com>
        + 99 others); Wed, 1 Apr 2020 12:26:38 -0400
Received: from mail.kernel.org ([198.145.29.99]:51026 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S2387903AbgDAQ0e (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 1 Apr 2020 12:26:34 -0400
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id C8CCF20857;
        Wed,  1 Apr 2020 16:26:31 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1585758392;
        bh=vHUjieBU5aslM55rEOP09v3yMqm7chbEbPX1sJ1IF44=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=VsZj9Z/F21bKtkTMxDBv1EMCrUO8L5yoVeH1U1BsTupOYV1BOyn5mL6LkPLquVazz
         vQ1ohn7HQvtOLU7Dn3+apy3/hrub0MYSx82HKsDymXLxzkOYFfyrzq292SuD91HKqp
         dUQxskrM16iPWymSvZuNAcQU4BFL+ZDmENatKrRc=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        Torsten Hilbrich <torsten.hilbrich@secunet.com>,
        Nicolas Dichtel <nicolas.dichtel@6wind.com>,
        Steffen Klassert <steffen.klassert@secunet.com>
Subject: [PATCH 4.19 075/116] vti6: Fix memory leak of skb if input policy check fails
Date:   Wed,  1 Apr 2020 18:17:31 +0200
Message-Id: <20200401161552.388956738@linuxfoundation.org>
X-Mailer: git-send-email 2.26.0
In-Reply-To: <20200401161542.669484650@linuxfoundation.org>
References: <20200401161542.669484650@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Torsten Hilbrich <torsten.hilbrich@secunet.com>

commit 2a9de3af21aa8c31cd68b0b39330d69f8c1e59df upstream.

The vti6_rcv function performs some tests on the retrieved tunnel
including checking the IP protocol, the XFRM input policy, the
source and destination address.

In all but one places the skb is released in the error case. When
the input policy check fails the network packet is leaked.

Using the same goto-label discard in this case to fix this problem.

Fixes: ed1efb2aefbb ("ipv6: Add support for IPsec virtual tunnel interfaces")
Signed-off-by: Torsten Hilbrich <torsten.hilbrich@secunet.com>
Reviewed-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/ipv6/ip6_vti.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -315,7 +315,7 @@ static int vti6_rcv(struct sk_buff *skb)
 
 		if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) {
 			rcu_read_unlock();
-			return 0;
+			goto discard;
 		}
 
 		ipv6h = ipv6_hdr(skb);