Commit e7cff81c authored by Cong Wang's avatar Cong Wang Committed by Kelsey Skunberg

ipv6: fix memory leaks on IPV6_ADDRFORM path

BugLink: https://bugs.launchpad.net/bugs/1892822

[ Upstream commit 8c0de6e9 ]

IPV6_ADDRFORM causes resource leaks when converting an IPv6 socket
to IPv4, particularly struct ipv6_ac_socklist. Similar to
struct ipv6_mc_socklist, we should just close it on this path.

This bug can be easily reproduced with the following C program:

  #include <stdio.h>
  #include <string.h>
  #include <sys/types.h>
  #include <sys/socket.h>
  #include <arpa/inet.h>

  int main()
  {
    int s, value;
    struct sockaddr_in6 addr;
    struct ipv6_mreq m6;

    s = socket(AF_INET6, SOCK_DGRAM, 0);
    addr.sin6_family = AF_INET6;
    addr.sin6_port = htons(5000);
    inet_pton(AF_INET6, "::ffff:192.168.122.194", &addr.sin6_addr);
    connect(s, (struct sockaddr *)&addr, sizeof(addr));

    inet_pton(AF_INET6, "fe80::AAAA", &m6.ipv6mr_multiaddr);
    m6.ipv6mr_interface = 5;
    setsockopt(s, SOL_IPV6, IPV6_JOIN_ANYCAST, &m6, sizeof(m6));

    value = AF_INET;
    setsockopt(s, SOL_IPV6, IPV6_ADDRFORM, &value, sizeof(value));

    close(s);
    return 0;
  }

Reported-by: ch3332xr@gmail.com
Fixes: 1da177e4 ("Linux-2.6.12-rc2")
Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
Signed-off-by: default avatarIan May <ian.may@canonical.com>
Signed-off-by: default avatarKelsey Skunberg <kelsey.skunberg@canonical.com>
parent 29c22830
...@@ -239,6 +239,7 @@ int ipv6_sock_ac_join(struct sock *sk, int ifindex, ...@@ -239,6 +239,7 @@ int ipv6_sock_ac_join(struct sock *sk, int ifindex,
const struct in6_addr *addr); const struct in6_addr *addr);
int ipv6_sock_ac_drop(struct sock *sk, int ifindex, int ipv6_sock_ac_drop(struct sock *sk, int ifindex,
const struct in6_addr *addr); const struct in6_addr *addr);
void __ipv6_sock_ac_close(struct sock *sk);
void ipv6_sock_ac_close(struct sock *sk); void ipv6_sock_ac_close(struct sock *sk);
int __ipv6_dev_ac_inc(struct inet6_dev *idev, const struct in6_addr *addr); int __ipv6_dev_ac_inc(struct inet6_dev *idev, const struct in6_addr *addr);
......
...@@ -170,7 +170,7 @@ int ipv6_sock_ac_drop(struct sock *sk, int ifindex, const struct in6_addr *addr) ...@@ -170,7 +170,7 @@ int ipv6_sock_ac_drop(struct sock *sk, int ifindex, const struct in6_addr *addr)
return 0; return 0;
} }
void ipv6_sock_ac_close(struct sock *sk) void __ipv6_sock_ac_close(struct sock *sk)
{ {
struct ipv6_pinfo *np = inet6_sk(sk); struct ipv6_pinfo *np = inet6_sk(sk);
struct net_device *dev = NULL; struct net_device *dev = NULL;
...@@ -178,10 +178,7 @@ void ipv6_sock_ac_close(struct sock *sk) ...@@ -178,10 +178,7 @@ void ipv6_sock_ac_close(struct sock *sk)
struct net *net = sock_net(sk); struct net *net = sock_net(sk);
int prev_index; int prev_index;
if (!np->ipv6_ac_list) ASSERT_RTNL();
return;
rtnl_lock();
pac = np->ipv6_ac_list; pac = np->ipv6_ac_list;
np->ipv6_ac_list = NULL; np->ipv6_ac_list = NULL;
...@@ -198,6 +195,16 @@ void ipv6_sock_ac_close(struct sock *sk) ...@@ -198,6 +195,16 @@ void ipv6_sock_ac_close(struct sock *sk)
sock_kfree_s(sk, pac, sizeof(*pac)); sock_kfree_s(sk, pac, sizeof(*pac));
pac = next; pac = next;
} }
}
void ipv6_sock_ac_close(struct sock *sk)
{
struct ipv6_pinfo *np = inet6_sk(sk);
if (!np->ipv6_ac_list)
return;
rtnl_lock();
__ipv6_sock_ac_close(sk);
rtnl_unlock(); rtnl_unlock();
} }
......
...@@ -207,6 +207,7 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname, ...@@ -207,6 +207,7 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
fl6_free_socklist(sk); fl6_free_socklist(sk);
__ipv6_sock_mc_close(sk); __ipv6_sock_mc_close(sk);
__ipv6_sock_ac_close(sk);
/* /*
* Sock is moving from IPv6 to IPv4 (sk_prot), so * Sock is moving from IPv6 to IPv4 (sk_prot), so
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment