1 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
2 From: Alexey Kodanev <alexey.kodanev@oracle.com>
3 Date: Mon, 5 Feb 2018 15:10:35 +0300
4 Subject: [PATCH] sctp: fix dst refcnt leak in sctp_v6_get_dst()
6 Content-Type: text/plain; charset=UTF-8
7 Content-Transfer-Encoding: 8bit
9 When going through the bind address list in sctp_v6_get_dst() and
10 the previously found address is better ('matchlen > bmatchlen'),
11 the code continues to the next iteration without releasing currently
14 Fix it by releasing 'bdst' before continue to the next iteration, and
15 instead of introducing one more '!IS_ERR(bdst)' check for dst_release(),
16 move the already existed one right after ip6_dst_lookup_flow(), i.e. we
17 shouldn't proceed further if we get an error for the route lookup.
19 Fixes: dbc2b5e9a09e ("sctp: fix src address selection if using secondary addresses for ipv6")
20 Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
21 Acked-by: Neil Horman <nhorman@tuxdriver.com>
22 Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
23 Signed-off-by: David S. Miller <davem@davemloft.net>
24 Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
26 net/sctp/ipv6.c | 10 +++++++---
27 1 file changed, 7 insertions(+), 3 deletions(-)
29 diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
30 index edb462b0b73b..e626d72868fe 100644
33 @@ -326,8 +326,10 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr,
34 final_p = fl6_update_dst(fl6, rcu_dereference(np->opt), &final);
35 bdst = ip6_dst_lookup_flow(sk, fl6, final_p);
37 - if (!IS_ERR(bdst) &&
38 - ipv6_chk_addr(dev_net(bdst->dev),
42 + if (ipv6_chk_addr(dev_net(bdst->dev),
43 &laddr->a.v6.sin6_addr, bdst->dev, 1)) {
44 if (!IS_ERR_OR_NULL(dst))
46 @@ -336,8 +338,10 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr,
49 bmatchlen = sctp_v6_addr_match_len(daddr, &laddr->a);
50 - if (matchlen > bmatchlen)
51 + if (matchlen > bmatchlen) {
56 if (!IS_ERR_OR_NULL(dst))