netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [net-next][PATCH] net/ipv4: fix a net leak
@ 2018-10-24  9:36 Li RongQing
  2018-10-24 15:02 ` David Ahern
  0 siblings, 1 reply; 5+ messages in thread
From: Li RongQing @ 2018-10-24  9:36 UTC (permalink / raw)
  To: netdev, dsahern

put net when input a invalid ifindex, otherwise it will be leaked

Fixes: 5fcd266a9f64("net/ipv4: Add support for dumping addresses for a specific device")
Cc: David Ahern <dsahern@gmail.com>
Signed-off-by: Zhang Yu <zhangyu31@baidu.com>
Signed-off-by: Li RongQing <lirongqing@baidu.com>
---
 net/ipv4/devinet.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
index 63d5b58fbfdb..fd0c5a47e742 100644
--- a/net/ipv4/devinet.c
+++ b/net/ipv4/devinet.c
@@ -1775,8 +1775,10 @@ static int inet_dump_ifaddr(struct sk_buff *skb, struct netlink_callback *cb)
 
 		if (fillargs.ifindex) {
 			dev = __dev_get_by_index(tgt_net, fillargs.ifindex);
-			if (!dev)
+			if (!dev) {
+				put_net(tgt_net);
 				return -ENODEV;
+			}
 
 			in_dev = __in_dev_get_rtnl(dev);
 			if (in_dev) {
-- 
2.16.2

^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [net-next][PATCH] net/ipv4: fix a net leak
  2018-10-24  9:36 [net-next][PATCH] net/ipv4: fix a net leak Li RongQing
@ 2018-10-24 15:02 ` David Ahern
  2018-10-24 15:21   ` David Ahern
  0 siblings, 1 reply; 5+ messages in thread
From: David Ahern @ 2018-10-24 15:02 UTC (permalink / raw)
  To: Li RongQing, netdev

On 10/24/18 3:36 AM, Li RongQing wrote:
> put net when input a invalid ifindex, otherwise it will be leaked
> 
> Fixes: 5fcd266a9f64("net/ipv4: Add support for dumping addresses for a specific device")
> Cc: David Ahern <dsahern@gmail.com>
> Signed-off-by: Zhang Yu <zhangyu31@baidu.com>
> Signed-off-by: Li RongQing <lirongqing@baidu.com>
> ---
>  net/ipv4/devinet.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
> index 63d5b58fbfdb..fd0c5a47e742 100644
> --- a/net/ipv4/devinet.c
> +++ b/net/ipv4/devinet.c
> @@ -1775,8 +1775,10 @@ static int inet_dump_ifaddr(struct sk_buff *skb, struct netlink_callback *cb)
>  
>  		if (fillargs.ifindex) {
>  			dev = __dev_get_by_index(tgt_net, fillargs.ifindex);
> -			if (!dev)
> +			if (!dev) {
> +				put_net(tgt_net);
>  				return -ENODEV;
> +			}
>  
>  			in_dev = __in_dev_get_rtnl(dev);
>  			if (in_dev) {
> 

Good catch. IPv6 has the same problem. Will fix that one.

Reviewed-by: David Ahern <dsahern@gmail.com>

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [net-next][PATCH] net/ipv4: fix a net leak
  2018-10-24 15:02 ` David Ahern
@ 2018-10-24 15:21   ` David Ahern
  2018-10-25 18:43     ` Bjørn Mork
  0 siblings, 1 reply; 5+ messages in thread
From: David Ahern @ 2018-10-24 15:21 UTC (permalink / raw)
  To: David Ahern, Li RongQing, netdev, David Miller

On 10/24/18 9:02 AM, David Ahern wrote:
> On 10/24/18 3:36 AM, Li RongQing wrote:
>> put net when input a invalid ifindex, otherwise it will be leaked
>>
>> Fixes: 5fcd266a9f64("net/ipv4: Add support for dumping addresses for a specific device")
>> Cc: David Ahern <dsahern@gmail.com>
>> Signed-off-by: Zhang Yu <zhangyu31@baidu.com>
>> Signed-off-by: Li RongQing <lirongqing@baidu.com>
>> ---
>>  net/ipv4/devinet.c | 4 +++-
>>  1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
>> index 63d5b58fbfdb..fd0c5a47e742 100644
>> --- a/net/ipv4/devinet.c
>> +++ b/net/ipv4/devinet.c
>> @@ -1775,8 +1775,10 @@ static int inet_dump_ifaddr(struct sk_buff *skb, struct netlink_callback *cb)
>>  
>>  		if (fillargs.ifindex) {
>>  			dev = __dev_get_by_index(tgt_net, fillargs.ifindex);
>> -			if (!dev)
>> +			if (!dev) {
>> +				put_net(tgt_net);
>>  				return -ENODEV;
>> +			}
>>  
>>  			in_dev = __in_dev_get_rtnl(dev);
>>  			if (in_dev) {
>>
> 
> Good catch. IPv6 has the same problem. Will fix that one.
> 
Actually remove that 'Reviewed-by'. You should only call put_net if
(fillargs.netnsid >= 0)

DaveM: just want to call this out since I mistakenly added the
Reviewed-by. This patch should be dropped.

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [net-next][PATCH] net/ipv4: fix a net leak
  2018-10-24 15:21   ` David Ahern
@ 2018-10-25 18:43     ` Bjørn Mork
  2018-10-25 18:46       ` David Ahern
  0 siblings, 1 reply; 5+ messages in thread
From: Bjørn Mork @ 2018-10-25 18:43 UTC (permalink / raw)
  To: David Ahern; +Cc: Li RongQing, netdev, David Miller

David Ahern <dsahern@gmail.com> writes:
> On 10/24/18 9:02 AM, David Ahern wrote:
>> On 10/24/18 3:36 AM, Li RongQing wrote:
>>> put net when input a invalid ifindex, otherwise it will be leaked
>>>
>>> Fixes: 5fcd266a9f64("net/ipv4: Add support for dumping addresses for a specific device")
>>> Cc: David Ahern <dsahern@gmail.com>
>>> Signed-off-by: Zhang Yu <zhangyu31@baidu.com>
>>> Signed-off-by: Li RongQing <lirongqing@baidu.com>
>>> ---
>>>  net/ipv4/devinet.c | 4 +++-
>>>  1 file changed, 3 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
>>> index 63d5b58fbfdb..fd0c5a47e742 100644
>>> --- a/net/ipv4/devinet.c
>>> +++ b/net/ipv4/devinet.c
>>> @@ -1775,8 +1775,10 @@ static int inet_dump_ifaddr(struct sk_buff *skb, struct netlink_callback *cb)
>>>  
>>>  		if (fillargs.ifindex) {
>>>  			dev = __dev_get_by_index(tgt_net, fillargs.ifindex);
>>> -			if (!dev)
>>> +			if (!dev) {
>>> +				put_net(tgt_net);
>>>  				return -ENODEV;
>>> +			}
>>>  
>>>  			in_dev = __in_dev_get_rtnl(dev);
>>>  			if (in_dev) {
>>>
>> 
>> Good catch. IPv6 has the same problem. Will fix that one.
>> 
> Actually remove that 'Reviewed-by'. You should only call put_net if
> (fillargs.netnsid >= 0)
>
> DaveM: just want to call this out since I mistakenly added the
> Reviewed-by. This patch should be dropped.

Hmm, I see that you implemented that.  But I believe it's still buggy if
called with an invalid netnsid.

inet_valid_dump_ifaddr_req() will bail out with an error, but only
*after* setting fillargs->netnsid:

                if (i == IFA_TARGET_NETNSID) {
                        struct net *net;

                        fillargs->netnsid = nla_get_s32(tb[i]);

                        net = rtnl_get_net_ns_capable(sk, fillargs->netnsid);
                        if (IS_ERR(net)) {
                                NL_SET_ERR_MSG(extack, "ipv4: Invalid target network namespace id");
                                return PTR_ERR(net);
                        }
                        *tgt_net = net;
                } else {



So inet_dump_ifaddr() ends up doing put_net(tgt_net):


                err = inet_valid_dump_ifaddr_req(nlh, &fillargs, &tgt_net,
                                                 skb->sk, cb);
                if (err < 0)
                        goto put_tgt_net;
..
put_tgt_net:
        if (fillargs.netnsid >= 0)
                put_net(tgt_net);



I believe you should set fillargs->netnsid back to -1 in the
inet_valid_dump_ifaddr_req() error path, or use a temp variable to avoid
changing it unless get_net is successful.



Bjørn

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [net-next][PATCH] net/ipv4: fix a net leak
  2018-10-25 18:43     ` Bjørn Mork
@ 2018-10-25 18:46       ` David Ahern
  0 siblings, 0 replies; 5+ messages in thread
From: David Ahern @ 2018-10-25 18:46 UTC (permalink / raw)
  To: Bjørn Mork; +Cc: Li RongQing, netdev, David Miller

On 10/25/18 12:43 PM, Bjørn Mork wrote:
> 
> inet_valid_dump_ifaddr_req() will bail out with an error, but only
> *after* setting fillargs->netnsid:
> 
>                 if (i == IFA_TARGET_NETNSID) {
>                         struct net *net;
> 
>                         fillargs->netnsid = nla_get_s32(tb[i]);
> 
>                         net = rtnl_get_net_ns_capable(sk, fillargs->netnsid);
>                         if (IS_ERR(net)) {
>                                 NL_SET_ERR_MSG(extack, "ipv4: Invalid target network namespace id");
>                                 return PTR_ERR(net);
>                         }
>                         *tgt_net = net;
>                 } else {
> 
> 
> 
> So inet_dump_ifaddr() ends up doing put_net(tgt_net):
> 
> 
>                 err = inet_valid_dump_ifaddr_req(nlh, &fillargs, &tgt_net,
>                                                  skb->sk, cb);
>                 if (err < 0)
>                         goto put_tgt_net;
> ..
> put_tgt_net:
>         if (fillargs.netnsid >= 0)
>                 put_net(tgt_net);
> 
> 
> 
> I believe you should set fillargs->netnsid back to -1 in the
> inet_valid_dump_ifaddr_req() error path, or use a temp variable to avoid
> changing it unless get_net is successful.

good point. either use of an intermediate or resetting nsid on failure.
Will you send a patch to fix ipv4 and v6?

Thanks,

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-10-26  3:20 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-10-24  9:36 [net-next][PATCH] net/ipv4: fix a net leak Li RongQing
2018-10-24 15:02 ` David Ahern
2018-10-24 15:21   ` David Ahern
2018-10-25 18:43     ` Bjørn Mork
2018-10-25 18:46       ` David Ahern

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).