From: Eric Dumazet <edumazet@google.com>
Date: Thu, 22 Feb 2024 12:17:47 +0000 (+0000)
Subject: ipv6: fix potential "struct net" leak in inet6_rtm_getaddr()
X-Git-Tag: v5.15.151~76
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8a54834c03c30e549c33d5da0975f3e1454ec906;p=thirdparty%2Fkernel%2Fstable.git

ipv6: fix potential "struct net" leak in inet6_rtm_getaddr()

[ Upstream commit 10bfd453da64a057bcfd1a49fb6b271c48653cdb ]

It seems that if userspace provides a correct IFA_TARGET_NETNSID value
but no IFA_ADDRESS and IFA_LOCAL attributes, inet6_rtm_getaddr()
returns -EINVAL with an elevated "struct net" refcount.

Fixes: 6ecf4c37eb3e ("ipv6: enable IFA_TARGET_NETNSID for RTM_GETADDR")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Christian Brauner <brauner@kernel.org>
Cc: David Ahern <dsahern@kernel.org>
Reviewed-by: David Ahern <dsahern@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index c52317184e3e2..968ca078191cd 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -5463,9 +5463,10 @@ static int inet6_rtm_getaddr(struct sk_buff *in_skb, struct nlmsghdr *nlh,
 	}
 
 	addr = extract_addr(tb[IFA_ADDRESS], tb[IFA_LOCAL], &peer);
-	if (!addr)
-		return -EINVAL;
-
+	if (!addr) {
+		err = -EINVAL;
+		goto errout;
+	}
 	ifm = nlmsg_data(nlh);
 	if (ifm->ifa_index)
 		dev = dev_get_by_index(tgt_net, ifm->ifa_index);