Commit 45c61993 authored Jun 19, 2024 by Eric Dumazet Committed by Guo Mengqi Jun 19, 2024

ipv6: fix potential "struct net" leak in inet6_rtm_getaddr()

stable inclusion
from stable-v5.10.212
commit 810fa7d5e5202fcfb22720304b755f1bdfd4c174
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9Q8NB

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=810fa7d5e5202fcfb22720304b755f1bdfd4c174



--------------------------------

[ Upstream commit 10bfd453da64a057bcfd1a49fb6b271c48653cdb ]

It seems that if userspace provides a correct IFA_TARGET_NETNSID value
but no IFA_ADDRESS and IFA_LOCAL attributes, inet6_rtm_getaddr()
returns -EINVAL with an elevated "struct net" refcount.

Fixes: 6ecf4c37 ("ipv6: enable IFA_TARGET_NETNSID for RTM_GETADDR")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Christian Brauner <brauner@kernel.org>
Cc: David Ahern <dsahern@kernel.org>
Reviewed-by: David Ahern <dsahern@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Wang Hai <wanghai38@huawei.com>

parent acc28460

net/ipv6/addrconf.c

+4 −3

Original line number	Diff line number	Diff line
		@@ -5443,9 +5443,10 @@ static int inet6_rtm_getaddr(struct sk_buff in_skb, struct nlmsghdr nlh,
		}

		addr = extract_addr(tb[IFA_ADDRESS], tb[IFA_LOCAL], &peer);
		if (!addr)
		return -EINVAL;

		if (!addr) {
		err = -EINVAL;
		goto errout;
		}
		ifm = nlmsg_data(nlh);
		if (ifm->ifa_index)
		dev = dev_get_by_index(tgt_net, ifm->ifa_index);