tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec

Steffen Klassert says:

====================
pull request (net): ipsec 2018-07-27

1) Fix PMTU handling of vti6. We update the PMTU on
the xfrm dst_entry which is not cached anymore
after the flowchache removal. So update the
PMTU of the original dst_entry instead.
From Eyal Birger.

2) Fix a leak of kernel memory to userspace.
From Eric Dumazet.

3) Fix a possible dst_entry memleak in xfrm_lookup_route.
From Tommi Rantala.

4) Fix a skb leak in case we can't call nlmsg_multicast
from xfrm_nlmsg_multicast. From Florian Westphal.

5) Fix a leak of a temporary buffer in the error path of
esp6_input. From Zhen Lei.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

David S. Miller d0fdb366 101f0cd4

+23 -13
+3 -1
net/ipv6/esp6.c
··· 669 669 670 670 sg_init_table(sg, nfrags); 671 671 ret = skb_to_sgvec(skb, sg, 0, skb->len); 672 - if (unlikely(ret < 0)) 672 + if (unlikely(ret < 0)) { 673 + kfree(tmp); 673 674 goto out; 675 + } 674 676 675 677 skb->ip_summed = CHECKSUM_NONE; 676 678
+6 -5
net/ipv6/ip6_vti.c
··· 480 480 goto tx_err_dst_release; 481 481 } 482 482 483 - skb_scrub_packet(skb, !net_eq(t->net, dev_net(dev))); 484 - skb_dst_set(skb, dst); 485 - skb->dev = skb_dst(skb)->dev; 486 - 487 483 mtu = dst_mtu(dst); 488 484 if (!skb->ignore_df && skb->len > mtu) { 489 485 skb_dst_update_pmtu(skb, mtu); ··· 494 498 htonl(mtu)); 495 499 } 496 500 497 - return -EMSGSIZE; 501 + err = -EMSGSIZE; 502 + goto tx_err_dst_release; 498 503 } 504 + 505 + skb_scrub_packet(skb, !net_eq(t->net, dev_net(dev))); 506 + skb_dst_set(skb, dst); 507 + skb->dev = skb_dst(skb)->dev; 499 508 500 509 err = dst_output(t->net, skb->sk, skb); 501 510 if (net_xmit_eval(err) == 0) {
+3
net/xfrm/xfrm_policy.c
··· 2286 2286 if (IS_ERR(dst) && PTR_ERR(dst) == -EREMOTE) 2287 2287 return make_blackhole(net, dst_orig->ops->family, dst_orig); 2288 2288 2289 + if (IS_ERR(dst)) 2290 + dst_release(dst_orig); 2291 + 2289 2292 return dst; 2290 2293 } 2291 2294 EXPORT_SYMBOL(xfrm_lookup_route);
+11 -7
net/xfrm/xfrm_user.c
··· 1025 1025 { 1026 1026 struct sock *nlsk = rcu_dereference(net->xfrm.nlsk); 1027 1027 1028 - if (nlsk) 1029 - return nlmsg_multicast(nlsk, skb, pid, group, GFP_ATOMIC); 1030 - else 1031 - return -1; 1028 + if (!nlsk) { 1029 + kfree_skb(skb); 1030 + return -EPIPE; 1031 + } 1032 + 1033 + return nlmsg_multicast(nlsk, skb, pid, group, GFP_ATOMIC); 1032 1034 } 1033 1035 1034 1036 static inline unsigned int xfrm_spdinfo_msgsize(void) ··· 1673 1671 #ifdef CONFIG_XFRM_SUB_POLICY 1674 1672 static int copy_to_user_policy_type(u8 type, struct sk_buff *skb) 1675 1673 { 1676 - struct xfrm_userpolicy_type upt = { 1677 - .type = type, 1678 - }; 1674 + struct xfrm_userpolicy_type upt; 1675 + 1676 + /* Sadly there are two holes in struct xfrm_userpolicy_type */ 1677 + memset(&upt, 0, sizeof(upt)); 1678 + upt.type = type; 1679 1679 1680 1680 return nla_put(skb, XFRMA_POLICY_TYPE, sizeof(upt), &upt); 1681 1681 }