From: Denis V. Lunev Date: Tue, 19 Feb 2008 04:49:36 +0000 (-0800) Subject: [IPV6]: dst_entry leak in ip4ip6_err. (resend) X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=9937ded8e44de8865cba1509d24eea9d350cebf0;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git [IPV6]: dst_entry leak in ip4ip6_err. (resend) The result of the ip_route_output is not assigned to skb. This means that - it is leaked - possible OOPS below dereferrencing skb->dst - no ICMP message for this case Signed-off-by: Denis V. Lunev Signed-off-by: David S. Miller --- diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c index 9031e521c1df..cd940647bd12 100644 --- a/net/ipv6/ip6_tunnel.c +++ b/net/ipv6/ip6_tunnel.c @@ -550,6 +550,7 @@ ip4ip6_err(struct sk_buff *skb, struct inet6_skb_parm *opt, ip_rt_put(rt); goto out; } + skb2->dst = (struct dst_entry *)rt; } else { ip_rt_put(rt); if (ip_route_input(skb2, eiph->daddr, eiph->saddr, eiph->tos,