!6654 net/ipv6: avoid possible UAF in ip6_route_mpath_notify() (b93b1105) · Commits · EulixOS / Software / Kernel

net/ipv6/route.c

+7 −14

Original line number	Diff line number	Diff line
		@@ -5230,19 +5230,7 @@ static int ip6_route_multipath_add(struct fib6_config *cfg,
		err_nh = NULL;
		list_for_each_entry(nh, &rt6_nh_list, next) {
		err = __ip6_ins_rt(nh->fib6_info, info, extack);
		fib6_info_release(nh->fib6_info);

		if (!err) {
		/* save reference to last route successfully inserted */
		rt_last = nh->fib6_info;

		/* save reference to first route for notification */
		if (!rt_notif)
		rt_notif = nh->fib6_info;
		}

		/* nh->fib6_info is used or freed at this point, reset to NULL*/
		nh->fib6_info = NULL;
		if (err) {
		if (replace && nhn)
		NL_SET_ERR_MSG_MOD(extack,
		@@ -5250,6 +5238,12 @@ static int ip6_route_multipath_add(struct fib6_config *cfg,
		err_nh = nh;
		goto add_errout;
		}
		/* save reference to last route successfully inserted */
		rt_last = nh->fib6_info;

		/* save reference to first route for notification */
		if (!rt_notif)
		rt_notif = nh->fib6_info;

		/* Because each route is added like a single route we remove
		* these flags after the first nexthop: if there is a collision,
		@@ -5310,7 +5304,6 @@ static int ip6_route_multipath_add(struct fib6_config *cfg,

		cleanup:
		list_for_each_entry_safe(nh, nh_safe, &rt6_nh_list, next) {
		if (nh->fib6_info)
		fib6_info_release(nh->fib6_info);
		list_del(&nh->next);
		kfree(nh);