Received: by 2002:a17:90a:1609:0:0:0:0 with SMTP id n9csp848460pja;
        Wed, 1 Apr 2020 09:47:32 -0700 (PDT)
X-Google-Smtp-Source: ADFU+vsDMeSaZ2IL3Y2uK6aCN6ErmKL+sdJ0gYhBv9+SzTdwdBQaEFmjgCNDY6YaEufLWlUXT1GI
X-Received: by 2002:a4a:1ec3:: with SMTP id 186mr17152337ooq.66.1585759652062;
        Wed, 01 Apr 2020 09:47:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1585759652; cv=none;
        d=google.com; s=arc-20160816;
        b=0oIHF3+OH7s95vyLjpnifRXQNHoVfufTGFF621xseleCpkdy0hg15qh/wRadcCWwGE
         eDyWVkaa3hQmrMuzBLU6pAlwNuOKcBwrKPbQw0JGkxrInSI0jhCag9EAUww2CPsoutK6
         E8eZn7C1HLEqLDDm/ggkIlMnQyrfumIFjujEZ5RT+PARZpvOVPXLzBPTeqxNBSBZkRza
         R/l/qfajP4tj9Vo+jCp4FXQMj1KLyfD7HjmFGxhhJyga3i4Mh66peJ0WCMkR8GeB4MMB
         BZnQ7UCSnb8sSCE1SXBaeQnicnaxTDnM/UXHTTC2WeCQI8H3kd6rqM3WrUyeha+TmsVr
         bdvA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=1UbdsDVVMZwLMgNDLc3k+XGeXvj0Lsjjqw4APH8bmrg=;
        b=QIT8gjx2Ee3T3hq2SHTgE0IRT359+7g+cLmVoc5dpzsZJl6eamlbjLxyY+sLk7ISGQ
         FA99Xfm1fEHtaWVLJliAmsfZp1IiqZ4iMLnhxEXtzw4if9IWz6rUjNZg0brVSfq8/AZ1
         GCcZwe3RhNMVqLzQtBWMMeg51F6A5MX5jqKwaK+YfTMEiNOBjYh4DFGrMF2BHhRL/7cf
         +ijtORsTNsfiyV2Wjt/rUAKE+HTOz7YVQcMpzhn4m2z7SobE8H5UGmt7bAucooK69XrK
         3V5RG9a4OxNO2Nr22P9zI2r1e2zc3XEnyndoHhycagpxSDhVndAq63VMCqxTRU/QZ8sB
         8qGw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=wIU7nbsG;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id l9si1033849otf.51.2020.04.01.09.47.19;
        Wed, 01 Apr 2020 09:47:32 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=wIU7nbsG;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1733156AbgDAQpn (ORCPT <rfc822;jaegeuk-test@gmail.com>
        + 99 others); Wed, 1 Apr 2020 12:45:43 -0400
Received: from mail.kernel.org ([198.145.29.99]:46884 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S2389403AbgDAQpj (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 1 Apr 2020 12:45:39 -0400
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id B31D12063A;
        Wed,  1 Apr 2020 16:45:37 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1585759538;
        bh=vHUjieBU5aslM55rEOP09v3yMqm7chbEbPX1sJ1IF44=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=wIU7nbsGF5P0nQNgOxJ/lO3Llts9VHJOz9c8ULyrGvSAPw3lmY3JBpLxzI3LhixP8
         6c33ImlPnQPndqp6ue5kbiJwsNsCmYT4BcQT7i+K3v08T4FqG0apgW4sPe7ZdqOGFo
         IV+5iYmAz9KPaLvh7GO4PDFH1zNvU7Pz1ztE+EgE=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        Torsten Hilbrich <torsten.hilbrich@secunet.com>,
        Nicolas Dichtel <nicolas.dichtel@6wind.com>,
        Steffen Klassert <steffen.klassert@secunet.com>
Subject: [PATCH 4.14 110/148] vti6: Fix memory leak of skb if input policy check fails
Date:   Wed,  1 Apr 2020 18:18:22 +0200
Message-Id: <20200401161603.129286885@linuxfoundation.org>
X-Mailer: git-send-email 2.26.0
In-Reply-To: <20200401161552.245876366@linuxfoundation.org>
References: <20200401161552.245876366@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Torsten Hilbrich <torsten.hilbrich@secunet.com>

commit 2a9de3af21aa8c31cd68b0b39330d69f8c1e59df upstream.

The vti6_rcv function performs some tests on the retrieved tunnel
including checking the IP protocol, the XFRM input policy, the
source and destination address.

In all but one places the skb is released in the error case. When
the input policy check fails the network packet is leaked.

Using the same goto-label discard in this case to fix this problem.

Fixes: ed1efb2aefbb ("ipv6: Add support for IPsec virtual tunnel interfaces")
Signed-off-by: Torsten Hilbrich <torsten.hilbrich@secunet.com>
Reviewed-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/ipv6/ip6_vti.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -315,7 +315,7 @@ static int vti6_rcv(struct sk_buff *skb)
 
 		if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) {
 			rcu_read_unlock();
-			return 0;
+			goto discard;
 		}
 
 		ipv6h = ipv6_hdr(skb);