2018-02-21 08:18:49 +00:00
|
|
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
|
From: Alexey Kodanev <alexey.kodanev@oracle.com>
|
|
|
|
Date: Mon, 5 Feb 2018 15:10:35 +0300
|
|
|
|
Subject: [PATCH] sctp: fix dst refcnt leak in sctp_v6_get_dst()
|
|
|
|
MIME-Version: 1.0
|
|
|
|
Content-Type: text/plain; charset=UTF-8
|
|
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
|
|
|
|
When going through the bind address list in sctp_v6_get_dst() and
|
|
|
|
the previously found address is better ('matchlen > bmatchlen'),
|
|
|
|
the code continues to the next iteration without releasing currently
|
|
|
|
held destination.
|
|
|
|
|
|
|
|
Fix it by releasing 'bdst' before continue to the next iteration, and
|
|
|
|
instead of introducing one more '!IS_ERR(bdst)' check for dst_release(),
|
|
|
|
move the already existed one right after ip6_dst_lookup_flow(), i.e. we
|
|
|
|
shouldn't proceed further if we get an error for the route lookup.
|
|
|
|
|
|
|
|
Fixes: dbc2b5e9a09e ("sctp: fix src address selection if using secondary addresses for ipv6")
|
|
|
|
Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
|
|
|
|
Acked-by: Neil Horman <nhorman@tuxdriver.com>
|
|
|
|
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
|
|
|
|
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
|
|
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
|
|
|
|
---
|
|
|
|
net/sctp/ipv6.c | 10 +++++++---
|
|
|
|
1 file changed, 7 insertions(+), 3 deletions(-)
|
|
|
|
|
|
|
|
diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
|
2018-03-21 10:26:28 +00:00
|
|
|
index edb462b0b73b..e626d72868fe 100644
|
2018-02-21 08:18:49 +00:00
|
|
|
--- a/net/sctp/ipv6.c
|
|
|
|
+++ b/net/sctp/ipv6.c
|
|
|
|
@@ -326,8 +326,10 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr,
|
|
|
|
final_p = fl6_update_dst(fl6, rcu_dereference(np->opt), &final);
|
|
|
|
bdst = ip6_dst_lookup_flow(sk, fl6, final_p);
|
|
|
|
|
|
|
|
- if (!IS_ERR(bdst) &&
|
|
|
|
- ipv6_chk_addr(dev_net(bdst->dev),
|
|
|
|
+ if (IS_ERR(bdst))
|
|
|
|
+ continue;
|
|
|
|
+
|
|
|
|
+ if (ipv6_chk_addr(dev_net(bdst->dev),
|
|
|
|
&laddr->a.v6.sin6_addr, bdst->dev, 1)) {
|
|
|
|
if (!IS_ERR_OR_NULL(dst))
|
|
|
|
dst_release(dst);
|
|
|
|
@@ -336,8 +338,10 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr,
|
|
|
|
}
|
|
|
|
|
|
|
|
bmatchlen = sctp_v6_addr_match_len(daddr, &laddr->a);
|
|
|
|
- if (matchlen > bmatchlen)
|
|
|
|
+ if (matchlen > bmatchlen) {
|
|
|
|
+ dst_release(bdst);
|
|
|
|
continue;
|
|
|
|
+ }
|
|
|
|
|
|
|
|
if (!IS_ERR_OR_NULL(dst))
|
|
|
|
dst_release(dst);
|
|
|
|
--
|
|
|
|
2.14.2
|
|
|
|
|