Received: by 2002:a17:90a:1609:0:0:0:0 with SMTP id n9csp848460pja; Wed, 1 Apr 2020 09:47:32 -0700 (PDT) X-Google-Smtp-Source: ADFU+vsDMeSaZ2IL3Y2uK6aCN6ErmKL+sdJ0gYhBv9+SzTdwdBQaEFmjgCNDY6YaEufLWlUXT1GI X-Received: by 2002:a4a:1ec3:: with SMTP id 186mr17152337ooq.66.1585759652062; Wed, 01 Apr 2020 09:47:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1585759652; cv=none; d=google.com; s=arc-20160816; b=0oIHF3+OH7s95vyLjpnifRXQNHoVfufTGFF621xseleCpkdy0hg15qh/wRadcCWwGE eDyWVkaa3hQmrMuzBLU6pAlwNuOKcBwrKPbQw0JGkxrInSI0jhCag9EAUww2CPsoutK6 E8eZn7C1HLEqLDDm/ggkIlMnQyrfumIFjujEZ5RT+PARZpvOVPXLzBPTeqxNBSBZkRza R/l/qfajP4tj9Vo+jCp4FXQMj1KLyfD7HjmFGxhhJyga3i4Mh66peJ0WCMkR8GeB4MMB BZnQ7UCSnb8sSCE1SXBaeQnicnaxTDnM/UXHTTC2WeCQI8H3kd6rqM3WrUyeha+TmsVr bdvA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=1UbdsDVVMZwLMgNDLc3k+XGeXvj0Lsjjqw4APH8bmrg=; b=QIT8gjx2Ee3T3hq2SHTgE0IRT359+7g+cLmVoc5dpzsZJl6eamlbjLxyY+sLk7ISGQ FA99Xfm1fEHtaWVLJliAmsfZp1IiqZ4iMLnhxEXtzw4if9IWz6rUjNZg0brVSfq8/AZ1 GCcZwe3RhNMVqLzQtBWMMeg51F6A5MX5jqKwaK+YfTMEiNOBjYh4DFGrMF2BHhRL/7cf +ijtORsTNsfiyV2Wjt/rUAKE+HTOz7YVQcMpzhn4m2z7SobE8H5UGmt7bAucooK69XrK 3V5RG9a4OxNO2Nr22P9zI2r1e2zc3XEnyndoHhycagpxSDhVndAq63VMCqxTRU/QZ8sB 8qGw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=wIU7nbsG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l9si1033849otf.51.2020.04.01.09.47.19; Wed, 01 Apr 2020 09:47:32 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=wIU7nbsG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733156AbgDAQpn (ORCPT + 99 others); Wed, 1 Apr 2020 12:45:43 -0400 Received: from mail.kernel.org ([198.145.29.99]:46884 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389403AbgDAQpj (ORCPT ); Wed, 1 Apr 2020 12:45:39 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id B31D12063A; Wed, 1 Apr 2020 16:45:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1585759538; bh=vHUjieBU5aslM55rEOP09v3yMqm7chbEbPX1sJ1IF44=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=wIU7nbsGF5P0nQNgOxJ/lO3Llts9VHJOz9c8ULyrGvSAPw3lmY3JBpLxzI3LhixP8 6c33ImlPnQPndqp6ue5kbiJwsNsCmYT4BcQT7i+K3v08T4FqG0apgW4sPe7ZdqOGFo IV+5iYmAz9KPaLvh7GO4PDFH1zNvU7Pz1ztE+EgE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Torsten Hilbrich , Nicolas Dichtel , Steffen Klassert Subject: [PATCH 4.14 110/148] vti6: Fix memory leak of skb if input policy check fails Date: Wed, 1 Apr 2020 18:18:22 +0200 Message-Id: <20200401161603.129286885@linuxfoundation.org> X-Mailer: git-send-email 2.26.0 In-Reply-To: <20200401161552.245876366@linuxfoundation.org> References: <20200401161552.245876366@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Torsten Hilbrich commit 2a9de3af21aa8c31cd68b0b39330d69f8c1e59df upstream. The vti6_rcv function performs some tests on the retrieved tunnel including checking the IP protocol, the XFRM input policy, the source and destination address. In all but one places the skb is released in the error case. When the input policy check fails the network packet is leaked. Using the same goto-label discard in this case to fix this problem. Fixes: ed1efb2aefbb ("ipv6: Add support for IPsec virtual tunnel interfaces") Signed-off-by: Torsten Hilbrich Reviewed-by: Nicolas Dichtel Signed-off-by: Steffen Klassert Signed-off-by: Greg Kroah-Hartman --- net/ipv6/ip6_vti.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/net/ipv6/ip6_vti.c +++ b/net/ipv6/ip6_vti.c @@ -315,7 +315,7 @@ static int vti6_rcv(struct sk_buff *skb) if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) { rcu_read_unlock(); - return 0; + goto discard; } ipv6h = ipv6_hdr(skb);