]>
Commit | Line | Data |
---|---|---|
45426b3c GKH |
1 | From 499031ac8a3df6738f6186ded9da853e8ea18253 Mon Sep 17 00:00:00 2001 |
2 | From: Eric Dumazet <eric.dumazet@gmail.com> | |
3 | Date: Fri, 2 Jul 2010 10:05:01 +0200 | |
4 | Subject: netfilter: ip6t_REJECT: fix a dst leak in ipv6 REJECT | |
5 | ||
6 | From: Eric Dumazet <eric.dumazet@gmail.com> | |
7 | ||
8 | commit 499031ac8a3df6738f6186ded9da853e8ea18253 upstream. | |
9 | ||
10 | We should release dst if dst->error is set. | |
11 | ||
12 | Bug introduced in 2.6.14 by commit e104411b82f5c | |
13 | ([XFRM]: Always release dst_entry on error in xfrm_lookup) | |
14 | ||
15 | Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> | |
16 | Signed-off-by: Patrick McHardy <kaber@trash.net> | |
17 | Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> | |
18 | ||
19 | --- | |
20 | net/ipv6/netfilter/ip6t_REJECT.c | 6 ++++-- | |
21 | 1 file changed, 4 insertions(+), 2 deletions(-) | |
22 | ||
23 | --- a/net/ipv6/netfilter/ip6t_REJECT.c | |
24 | +++ b/net/ipv6/netfilter/ip6t_REJECT.c | |
25 | @@ -95,9 +95,11 @@ static void send_reset(struct net *net, | |
26 | fl.fl_ip_dport = otcph.source; | |
27 | security_skb_classify_flow(oldskb, &fl); | |
28 | dst = ip6_route_output(net, NULL, &fl); | |
29 | - if (dst == NULL) | |
30 | + if (dst == NULL || dst->error) { | |
31 | + dst_release(dst); | |
32 | return; | |
33 | - if (dst->error || xfrm_lookup(net, &dst, &fl, NULL, 0)) | |
34 | + } | |
35 | + if (xfrm_lookup(net, &dst, &fl, NULL, 0)) | |
36 | return; | |
37 | ||
38 | hh_len = (dst->dev->hard_header_len + 15)&~15; |