Home » Mailing list archives » linux-kernel » 2008 » March » 21

[patch 11/76] IPV6: dst_entry leak in ip4ip6_err.

!MAILaRCHIVE_VOTE_RePLACE
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
[view in full thread]
From: Chris Wright <chrisw@...>
To: <linux-kernel@...>, <stable@...>
Cc: Justin Forbes <jmforbes@...>, Zwane Mwaikambo <zwane@...>, Theodore Ts'o <tytso@...>, Randy Dunlap <rdunlap@...>, Dave Jones <davej@...>, Chuck Wolber <chuckw@...>, Chris Wedgwood <reviews@...>, Michael Krufky <mkrufky@...>, Chuck Ebbert <cebbert@...>, Domenico Andreoli <cavokz@...>, <torvalds@...>, <akpm@...>, <alan@...>, Denis V. Lunev <den@...>, David S Miller <davem@...>, Greg Kroah-Hartman <gregkh@...>
Subject: [patch 11/76] IPV6: dst_entry leak in ip4ip6_err.
Date: Friday, March 21, 2008 - 6:43 pm

-stable review patch.  If anyone has any objections, please let us know.
---------------------

From: Denis V. Lunev <den@openvz.org>

Upstream commit: 9937ded8e44de8865cba1509d24eea9d350cebf0

The result of the ip_route_output is not assigned to skb. This means that
- it is leaked
- possible OOPS below dereferrencing skb->dst
- no ICMP message for this case

Signed-off-by: Denis V. Lunev <den@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>

---
 net/ipv6/ip6_tunnel.c |    1 +
 1 file changed, 1 insertion(+)

--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -550,6 +550,7 @@ ip4ip6_err(struct sk_buff *skb, struct i
 			ip_rt_put(rt);
 			goto out;
 		}
+		skb2->dst = (struct dst_entry *)rt;
 	} else {
 		ip_rt_put(rt);
 		if (ip_route_input(skb2, eiph->daddr, eiph->saddr, eiph->tos,

-- 
--
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
Messages in current thread:
[patch 11/76] IPV6: dst_entry leak in ip4ip6_err., Chris Wright, (Fri Mar 21, 6:43 pm)