| Message ID | 1631161930-77772-1-git-send-email-xiyuyang19@fudan.edu.cn |
|---|---|
| State | New |
| Headers | show |
| Series | net/l2tp: Fix reference count leak in l2tp_udp_recv_core | expand |
On Thu, Sep 09, 2021 at 12:32:00 +0800, Xiyu Yang wrote: > The reference count leak issue may take place in an error handling > path. If both conditions of tunnel->version == L2TP_HDR_VER_3 and the > return value of l2tp_v3_ensure_opt_in_linear is nonzero, the function > would directly jump to label invalid, without decrementing the reference > count of the l2tp_session object session increased earlier by > l2tp_tunnel_get_session(). This may result in refcount leaks. I agree with your analysis. Thanks for catching this! > > Fix this issue by decrease the reference count before jumping to the > label invalid. > > Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn> > Signed-off-by: Xin Xiong <xiongx18@fudan.edu.cn> > Signed-off-by: Xin Tan <tanxin.ctf@gmail.com> > --- > net/l2tp/l2tp_core.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c > index 53486b162f01..93271a2632b8 100644 > --- a/net/l2tp/l2tp_core.c > +++ b/net/l2tp/l2tp_core.c > @@ -869,8 +869,10 @@ static int l2tp_udp_recv_core(struct l2tp_tunnel *tunnel, struct sk_buff *skb) > } > > if (tunnel->version == L2TP_HDR_VER_3 && > - l2tp_v3_ensure_opt_in_linear(session, skb, &ptr, &optr)) > + l2tp_v3_ensure_opt_in_linear(session, skb, &ptr, &optr)) { > + l2tp_session_dec_refcount(session); > goto invalid; > + } The error paths in l2tp_udp_recv_core are a bit convoluted because of the check (!session || !session->recv_skb) which may or may not need to drop a session reference if triggered. I think it could be simplified since session->recv_skb is always set for all the current session types in the tree, but doing that is probably a little patch series on its own. > > l2tp_recv_common(session, skb, ptr, optr, hdrflags, length); > l2tp_session_dec_refcount(session); > -- > 2.7.4 >
Hello: This patch was applied to netdev/net.git (refs/heads/master): On Thu, 9 Sep 2021 12:32:00 +0800 you wrote: > The reference count leak issue may take place in an error handling > path. If both conditions of tunnel->version == L2TP_HDR_VER_3 and the > return value of l2tp_v3_ensure_opt_in_linear is nonzero, the function > would directly jump to label invalid, without decrementing the reference > count of the l2tp_session object session increased earlier by > l2tp_tunnel_get_session(). This may result in refcount leaks. > > [...] Here is the summary with links: - net/l2tp: Fix reference count leak in l2tp_udp_recv_core https://git.kernel.org/netdev/net/c/9b6ff7eb6664 You are awesome, thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/patchwork/pwbot.html
diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c index 53486b162f01..93271a2632b8 100644 --- a/net/l2tp/l2tp_core.c +++ b/net/l2tp/l2tp_core.c @@ -869,8 +869,10 @@ static int l2tp_udp_recv_core(struct l2tp_tunnel *tunnel, struct sk_buff *skb) } if (tunnel->version == L2TP_HDR_VER_3 && - l2tp_v3_ensure_opt_in_linear(session, skb, &ptr, &optr)) + l2tp_v3_ensure_opt_in_linear(session, skb, &ptr, &optr)) { + l2tp_session_dec_refcount(session); goto invalid; + } l2tp_recv_common(session, skb, ptr, optr, hdrflags, length); l2tp_session_dec_refcount(session);