Received: by 2002:a17:90a:1609:0:0:0:0 with SMTP id n9csp841086pja;
        Wed, 1 Apr 2020 09:39:47 -0700 (PDT)
X-Google-Smtp-Source: APiQypIt/p/RJudoDR7Rh/SZHT+jaFRv9RpUpJwOkEWNcve6NFCMjhaJc50zKdgCdLPAqVtjqpPw
X-Received: by 2002:aca:5454:: with SMTP id i81mr3536643oib.23.1585759187531;
        Wed, 01 Apr 2020 09:39:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1585759187; cv=none;
        d=google.com; s=arc-20160816;
        b=DZ1cWe+8lQWS3/bzgl0SGCzpBjn80NDMbRINqRdpa/z9wOI4VufnvomRU11SvyReI8
         VnrEVvJ1peLyZNKvPUdQ7ko6nA1UinCPAnZKORmz08Hpq7d4hTN8sPi6bRKDN8gGnYF1
         buqpKJkJtqSzk4nA6MrrQEiAMBD6cwUbfStXpT6LgwIzl9sf3rEcjsfSz4Tla/zhQ2Ee
         lvZTJqyUFkdtliJ6e6ZHF34+Aq2eB4ZQg8EkWsV0iQTYLc7YkU83oPhPy6Y8Ugx1oeLU
         d1Hw3KBCh+IfR+isPizWNOAlj8HuYiaK2rmCtgMVJ8/swahwgLxM+KiSNbT6tcfh5FbL
         gB9w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=1UbdsDVVMZwLMgNDLc3k+XGeXvj0Lsjjqw4APH8bmrg=;
        b=KZ0meguxdcmq5BgcayRXv8mqdyjiR2J6+ukAhrse5xcyJCei/ee+JR6XtsKU4LMMTF
         jgsnqyAbCcxJDkUdkist1zPM52zOn02/AFaL78FtIq0VKg4FefRZoL/oNeHKxbGQ8wcZ
         fNi7t37D7ZtediaNc/e7Ls/p4mtXAMQZynZIL2VbL49ZkbBw2ojRQF125IYn8gIzy/++
         cQAp2ZUJjVkKWsmtYKc27oCVdnZyqt8lSZEMzdje8kVf69zk1gsk+neFd0eVowjh5TJR
         AIgIsBcEyi/UrM/RtW6Q4Lcfz1Ru4ur732rBSp0eSj7d2BYvNYQ3JADo/1N5yF0JaAmm
         Xm1g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=Gpg2W2U5;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id y7si1171322ote.303.2020.04.01.09.39.34;
        Wed, 01 Apr 2020 09:39:47 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=Gpg2W2U5;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2389060AbgDAQiE (ORCPT <rfc822;jaegeuk-test@gmail.com>
        + 99 others); Wed, 1 Apr 2020 12:38:04 -0400
Received: from mail.kernel.org ([198.145.29.99]:37460 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S2388751AbgDAQiB (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 1 Apr 2020 12:38:01 -0400
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 6C587206F8;
        Wed,  1 Apr 2020 16:38:00 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1585759080;
        bh=vHUjieBU5aslM55rEOP09v3yMqm7chbEbPX1sJ1IF44=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=Gpg2W2U5QDv1NuUBUYQzxIWJ0eMemTzvBlJWtErVfTAFcUgItZ8G4NkscwuUSeLBh
         PQ4cmdkpmZD3joqu738GU/6d2L9t3t6SoVe0+3VnU0d8tfr9Wz9GT3z2h14FPdUe5F
         IsOoLuVwDC9NVAkKakBU/pMYjUyRnXEVUgZo1zKY=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        Torsten Hilbrich <torsten.hilbrich@secunet.com>,
        Nicolas Dichtel <nicolas.dichtel@6wind.com>,
        Steffen Klassert <steffen.klassert@secunet.com>
Subject: [PATCH 4.9 070/102] vti6: Fix memory leak of skb if input policy check fails
Date:   Wed,  1 Apr 2020 18:18:13 +0200
Message-Id: <20200401161544.369456064@linuxfoundation.org>
X-Mailer: git-send-email 2.26.0
In-Reply-To: <20200401161530.451355388@linuxfoundation.org>
References: <20200401161530.451355388@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Torsten Hilbrich <torsten.hilbrich@secunet.com>

commit 2a9de3af21aa8c31cd68b0b39330d69f8c1e59df upstream.

The vti6_rcv function performs some tests on the retrieved tunnel
including checking the IP protocol, the XFRM input policy, the
source and destination address.

In all but one places the skb is released in the error case. When
the input policy check fails the network packet is leaked.

Using the same goto-label discard in this case to fix this problem.

Fixes: ed1efb2aefbb ("ipv6: Add support for IPsec virtual tunnel interfaces")
Signed-off-by: Torsten Hilbrich <torsten.hilbrich@secunet.com>
Reviewed-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/ipv6/ip6_vti.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -315,7 +315,7 @@ static int vti6_rcv(struct sk_buff *skb)
 
 		if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) {
 			rcu_read_unlock();
-			return 0;
+			goto discard;
 		}
 
 		ipv6h = ipv6_hdr(skb);