Commit f1183f19 authored Feb 05, 2018 by Alexey Kodanev Committed by Greg Kroah-Hartman Mar 11, 2018

sctp: fix dst refcnt leak in sctp_v6_get_dst()




[ Upstream commit 957d761cf91cdbb175ad7d8f5472336a4d54dbf2 ]

When going through the bind address list in sctp_v6_get_dst() and
the previously found address is better ('matchlen > bmatchlen'),
the code continues to the next iteration without releasing currently
held destination.

Fix it by releasing 'bdst' before continue to the next iteration, and
instead of introducing one more '!IS_ERR(bdst)' check for dst_release(),
move the already existed one right after ip6_dst_lookup_flow(), i.e. we
shouldn't proceed further if we get an error for the route lookup.

Fixes: dbc2b5e9a09e ("sctp: fix src address selection if using secondary addresses for ipv6")
Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent 6b709dae

net/sctp/ipv6.c

+7 −3

Original line number	Diff line number	Diff line
		@@ -323,8 +323,10 @@ static void sctp_v6_get_dst(struct sctp_transport t, union sctp_addr saddr,
		final_p = fl6_update_dst(fl6, rcu_dereference(np->opt), &final);
		bdst = ip6_dst_lookup_flow(sk, fl6, final_p);

		if (!IS_ERR(bdst) &&
		ipv6_chk_addr(dev_net(bdst->dev),
		if (IS_ERR(bdst))
		continue;

		if (ipv6_chk_addr(dev_net(bdst->dev),
		&laddr->a.v6.sin6_addr, bdst->dev, 1)) {
		if (!IS_ERR_OR_NULL(dst))
		dst_release(dst);
		@@ -333,8 +335,10 @@ static void sctp_v6_get_dst(struct sctp_transport t, union sctp_addr saddr,
		}

		bmatchlen = sctp_v6_addr_match_len(daddr, &laddr->a);
		if (matchlen > bmatchlen)
		if (matchlen > bmatchlen) {
		dst_release(bdst);
		continue;
		}

		if (!IS_ERR_OR_NULL(dst))
		dst_release(dst);