diff mbox series

[net] ipv6: fix potential "struct net" leak in inet6_rtm_getaddr()

Message ID 20240222121747.2193246-1-edumazet@google.com (mailing list archive)
State Accepted
Commit 10bfd453da64a057bcfd1a49fb6b271c48653cdb
Delegated to: Netdev Maintainers
Headers show
Series [net] ipv6: fix potential "struct net" leak in inet6_rtm_getaddr() | expand

Checks

Context Check Description
netdev/series_format success Single patches do not need cover letters
netdev/tree_selection success Clearly marked for net
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag present in non-next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 956 this patch: 956
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers success CCed 6 of 6 maintainers
netdev/build_clang success Errors and warnings before: 973 this patch: 973
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 973 this patch: 973
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 13 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
netdev/contest success net-next-2024-02-23--03-00 (tests: 1457)

Commit Message

Eric Dumazet Feb. 22, 2024, 12:17 p.m. UTC 
It seems that if userspace provides a correct IFA_TARGET_NETNSID value
but no IFA_ADDRESS and IFA_LOCAL attributes, inet6_rtm_getaddr()
returns -EINVAL with an elevated "struct net" refcount.

Fixes: 6ecf4c37eb3e ("ipv6: enable IFA_TARGET_NETNSID for RTM_GETADDR")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Christian Brauner <brauner@kernel.org>
Cc: David Ahern <dsahern@kernel.org>
---
 net/ipv6/addrconf.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

Comments

David Ahern Feb. 22, 2024, 4:16 p.m. UTC | #1 
On 2/22/24 5:17 AM, Eric Dumazet wrote:
> It seems that if userspace provides a correct IFA_TARGET_NETNSID value
> but no IFA_ADDRESS and IFA_LOCAL attributes, inet6_rtm_getaddr()
> returns -EINVAL with an elevated "struct net" refcount.
> 
> Fixes: 6ecf4c37eb3e ("ipv6: enable IFA_TARGET_NETNSID for RTM_GETADDR")
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Cc: Christian Brauner <brauner@kernel.org>
> Cc: David Ahern <dsahern@kernel.org>
> ---
>  net/ipv6/addrconf.c | 7 ++++---
>  1 file changed, 4 insertions(+), 3 deletions(-)
> 

Reviewed-by: David Ahern <dsahern@kernel.org>
patchwork-bot+netdevbpf@kernel.org Feb. 26, 2024, noon UTC | #2 
Hello:

This patch was applied to netdev/net.git (main)
by David S. Miller <davem@davemloft.net>:

On Thu, 22 Feb 2024 12:17:47 +0000 you wrote:
> It seems that if userspace provides a correct IFA_TARGET_NETNSID value
> but no IFA_ADDRESS and IFA_LOCAL attributes, inet6_rtm_getaddr()
> returns -EINVAL with an elevated "struct net" refcount.
> 
> Fixes: 6ecf4c37eb3e ("ipv6: enable IFA_TARGET_NETNSID for RTM_GETADDR")
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Cc: Christian Brauner <brauner@kernel.org>
> Cc: David Ahern <dsahern@kernel.org>
> 
> [...]

Here is the summary with links:
  - [net] ipv6: fix potential "struct net" leak in inet6_rtm_getaddr()
    https://git.kernel.org/netdev/net/c/10bfd453da64

You are awesome, thank you!
diff mbox series

Patch

diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 5a839c5fb1a5aa55e5c7f2ad8081e401a76d5a93..055230b669cf21d87738a4371543c599c3476f98 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -5509,9 +5509,10 @@  static int inet6_rtm_getaddr(struct sk_buff *in_skb, struct nlmsghdr *nlh,
 	}
 
 	addr = extract_addr(tb[IFA_ADDRESS], tb[IFA_LOCAL], &peer);
-	if (!addr)
-		return -EINVAL;
-
+	if (!addr) {
+		err = -EINVAL;
+		goto errout;
+	}
 	ifm = nlmsg_data(nlh);
 	if (ifm->ifa_index)
 		dev = dev_get_by_index(tgt_net, ifm->ifa_index);