vti6: Fix memory leak of skb if input policy check fails

commit 2a9de3af21aa8c31cd68b0b39330d69f8c1e59df upstream. The vti6_rcv function performs some tests on the retrieved tunnel including checking the IP protocol, the XFRM input policy, the source and destination address. In all but one places the skb is released in the error case. When the input policy check fails the network packet is leaked. Using the same goto-label discard in this case to fix this problem. Fixes: ed1efb2aefbb ("ipv6: Add support for IPsec virtual tunnel interfaces") Signed-off-by: Torsten Hilbrich <torsten.hilbrich@secunet.com> Reviewed-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Torsten Hilbrich <torsten.hilbrich@secunet.com> 2020-03-11 11:19:06 +0100
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-04-02 19:02:37 +0200
commit: 153db0f43e37e2a192a7fab17c8d326352dc467b (patch)
tree: ebeab5f83b7311afacd235a3c4b1e3609d03780b /net/ipv6
parent: 0ac1dd7bb8f1b40f1bf494f6a27235a7a3b36350 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
index fd524da8ba9a..4d273adcf130 100644
--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -315,7 +315,7 @@ static int vti6_rcv(struct sk_buff *skb)
 
 		if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) {
 			rcu_read_unlock();
-			return 0;
+			goto discard;
 		}
 
 		if (!ip6_tnl_rcv_ctl(t, &ipv6h->daddr, &ipv6h->saddr)) {
author	Torsten Hilbrich <torsten.hilbrich@secunet.com>	2020-03-11 11:19:06 +0100
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2020-04-02 19:02:37 +0200
commit	153db0f43e37e2a192a7fab17c8d326352dc467b (patch)
tree	ebeab5f83b7311afacd235a3c4b1e3609d03780b /net/ipv6
parent	0ac1dd7bb8f1b40f1bf494f6a27235a7a3b36350 (diff)