From 11bba9eb4570f11e805ca479e7124c71bc7ae66f Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 30 Mar 2020 16:32:23 +0200
Subject: [PATCH] 4.14-stable patches

added patches:
	vti6-fix-memory-leak-of-skb-if-input-policy-check-fails.patch
---
 queue-4.14/series                             |  1 +
 ...k-of-skb-if-input-policy-check-fails.patch | 39 +++++++++++++++++++
 2 files changed, 40 insertions(+)
 create mode 100644 queue-4.14/vti6-fix-memory-leak-of-skb-if-input-policy-check-fails.patch

diff --git a/queue-4.14/series b/queue-4.14/series
index 1f7f4731839..df4a8db757b 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -108,3 +108,4 @@ xfrm-add-the-missing-verify_sec_ctx_len-check-in-xfrm_add_acquire.patch
 xfrm-policy-fix-doulbe-free-in-xfrm_policy_timer.patch
 netfilter-nft_fwd_netdev-validate-family-and-chain-type.patch
 netfilter-nft_fwd_netdev-allow-to-redirect-to-ifb-via-ingress.patch
+vti6-fix-memory-leak-of-skb-if-input-policy-check-fails.patch
diff --git a/queue-4.14/vti6-fix-memory-leak-of-skb-if-input-policy-check-fails.patch b/queue-4.14/vti6-fix-memory-leak-of-skb-if-input-policy-check-fails.patch
new file mode 100644
index 00000000000..8f4bfefba96
--- /dev/null
+++ b/queue-4.14/vti6-fix-memory-leak-of-skb-if-input-policy-check-fails.patch
@@ -0,0 +1,39 @@
+From 2a9de3af21aa8c31cd68b0b39330d69f8c1e59df Mon Sep 17 00:00:00 2001
+From: Torsten Hilbrich <torsten.hilbrich@secunet.com>
+Date: Wed, 11 Mar 2020 11:19:06 +0100
+Subject: vti6: Fix memory leak of skb if input policy check fails
+
+From: Torsten Hilbrich <torsten.hilbrich@secunet.com>
+
+commit 2a9de3af21aa8c31cd68b0b39330d69f8c1e59df upstream.
+
+The vti6_rcv function performs some tests on the retrieved tunnel
+including checking the IP protocol, the XFRM input policy, the
+source and destination address.
+
+In all but one places the skb is released in the error case. When
+the input policy check fails the network packet is leaked.
+
+Using the same goto-label discard in this case to fix this problem.
+
+Fixes: ed1efb2aefbb ("ipv6: Add support for IPsec virtual tunnel interfaces")
+Signed-off-by: Torsten Hilbrich <torsten.hilbrich@secunet.com>
+Reviewed-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv6/ip6_vti.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv6/ip6_vti.c
++++ b/net/ipv6/ip6_vti.c
+@@ -315,7 +315,7 @@ static int vti6_rcv(struct sk_buff *skb)
+ 
+ 		if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) {
+ 			rcu_read_unlock();
+-			return 0;
++			goto discard;
+ 		}
+ 
+ 		ipv6h = ipv6_hdr(skb);
-- 
2.47.3