4.14-stable patches

added patches:
	vti6-fix-memory-leak-of-skb-if-input-policy-check-fails.patch

diff --git a/queue-4.14/series b/queue-4.14/series
index 1f7f47318399319dceace91267e1234d7424fac4..df4a8db757b865bf0988bf30ba8cb3d940bea03a 100644 (file)
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -108,3 +108,4 @@ xfrm-add-the-missing-verify_sec_ctx_len-check-in-xfrm_add_acquire.patch
 xfrm-policy-fix-doulbe-free-in-xfrm_policy_timer.patch
 netfilter-nft_fwd_netdev-validate-family-and-chain-type.patch
 netfilter-nft_fwd_netdev-allow-to-redirect-to-ifb-via-ingress.patch
+vti6-fix-memory-leak-of-skb-if-input-policy-check-fails.patch

diff --git a/queue-4.14/vti6-fix-memory-leak-of-skb-if-input-policy-check-fails.patch b/queue-4.14/vti6-fix-memory-leak-of-skb-if-input-policy-check-fails.patch
new file mode 100644 (file)
index 0000000..8f4bfef
--- /dev/null
+++ b/queue-4.14/vti6-fix-memory-leak-of-skb-if-input-policy-check-fails.patch
@@ -0,0 +1,39 @@
+From 2a9de3af21aa8c31cd68b0b39330d69f8c1e59df Mon Sep 17 00:00:00 2001
+From: Torsten Hilbrich <torsten.hilbrich@secunet.com>
+Date: Wed, 11 Mar 2020 11:19:06 +0100
+Subject: vti6: Fix memory leak of skb if input policy check fails
+
+From: Torsten Hilbrich <torsten.hilbrich@secunet.com>
+
+commit 2a9de3af21aa8c31cd68b0b39330d69f8c1e59df upstream.
+
+The vti6_rcv function performs some tests on the retrieved tunnel
+including checking the IP protocol, the XFRM input policy, the
+source and destination address.
+
+In all but one places the skb is released in the error case. When
+the input policy check fails the network packet is leaked.
+
+Using the same goto-label discard in this case to fix this problem.
+
+Fixes: ed1efb2aefbb ("ipv6: Add support for IPsec virtual tunnel interfaces")
+Signed-off-by: Torsten Hilbrich <torsten.hilbrich@secunet.com>
+Reviewed-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv6/ip6_vti.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv6/ip6_vti.c
++++ b/net/ipv6/ip6_vti.c
+@@ -315,7 +315,7 @@ static int vti6_rcv(struct sk_buff *skb)
+ 
+               if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) {
+                       rcu_read_unlock();
+-                      return 0;
++                      goto discard;
+               }
+ 
+               ipv6h = ipv6_hdr(skb);