Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e3e86b51 authored by David S. Miller's avatar David S. Miller
Browse files

ipv6: Fix leak in ipv6_gso_segment(). 



If ip6_find_1stfragopt() fails and we return an error we have to free
up 'segs' because nobody else is going to.

Fixes: 2423496a ("ipv6: Prevent overrun when parsing v6 header options")
Reported-by: default avatarBen Hutchings <ben@decadent.org.uk>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 9a1c44d9

net/ipv6/ip6_offload.c

+3 −1
Original line number Diff line number Diff line
@@ -116,8 +116,10 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb, 


		if (udpfrag) {

			int err = ip6_find_1stfragopt(skb, &prevhdr);

			if (err < 0)

			if (err < 0) {

				kfree_skb_list(segs);

				return ERR_PTR(err);

			}

			fptr = (struct frag_hdr *)((u8 *)ipv6h + err);

			fptr->frag_off = htons(offset);

			if (skb->next)