* [net-next][PATCH] net/ipv4: fix a net leak
@ 2018-10-24 9:36 Li RongQing
2018-10-24 15:02 ` David Ahern
0 siblings, 1 reply; 5+ messages in thread
From: Li RongQing @ 2018-10-24 9:36 UTC (permalink / raw)
To: netdev, dsahern
put net when input a invalid ifindex, otherwise it will be leaked
Fixes: 5fcd266a9f64("net/ipv4: Add support for dumping addresses for a specific device")
Cc: David Ahern <dsahern@gmail.com>
Signed-off-by: Zhang Yu <zhangyu31@baidu.com>
Signed-off-by: Li RongQing <lirongqing@baidu.com>
---
net/ipv4/devinet.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
index 63d5b58fbfdb..fd0c5a47e742 100644
--- a/net/ipv4/devinet.c
+++ b/net/ipv4/devinet.c
@@ -1775,8 +1775,10 @@ static int inet_dump_ifaddr(struct sk_buff *skb, struct netlink_callback *cb)
if (fillargs.ifindex) {
dev = __dev_get_by_index(tgt_net, fillargs.ifindex);
- if (!dev)
+ if (!dev) {
+ put_net(tgt_net);
return -ENODEV;
+ }
in_dev = __in_dev_get_rtnl(dev);
if (in_dev) {
--
2.16.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [net-next][PATCH] net/ipv4: fix a net leak
2018-10-24 9:36 [net-next][PATCH] net/ipv4: fix a net leak Li RongQing
@ 2018-10-24 15:02 ` David Ahern
2018-10-24 15:21 ` David Ahern
0 siblings, 1 reply; 5+ messages in thread
From: David Ahern @ 2018-10-24 15:02 UTC (permalink / raw)
To: Li RongQing, netdev
On 10/24/18 3:36 AM, Li RongQing wrote:
> put net when input a invalid ifindex, otherwise it will be leaked
>
> Fixes: 5fcd266a9f64("net/ipv4: Add support for dumping addresses for a specific device")
> Cc: David Ahern <dsahern@gmail.com>
> Signed-off-by: Zhang Yu <zhangyu31@baidu.com>
> Signed-off-by: Li RongQing <lirongqing@baidu.com>
> ---
> net/ipv4/devinet.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
> index 63d5b58fbfdb..fd0c5a47e742 100644
> --- a/net/ipv4/devinet.c
> +++ b/net/ipv4/devinet.c
> @@ -1775,8 +1775,10 @@ static int inet_dump_ifaddr(struct sk_buff *skb, struct netlink_callback *cb)
>
> if (fillargs.ifindex) {
> dev = __dev_get_by_index(tgt_net, fillargs.ifindex);
> - if (!dev)
> + if (!dev) {
> + put_net(tgt_net);
> return -ENODEV;
> + }
>
> in_dev = __in_dev_get_rtnl(dev);
> if (in_dev) {
>
Good catch. IPv6 has the same problem. Will fix that one.
Reviewed-by: David Ahern <dsahern@gmail.com>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [net-next][PATCH] net/ipv4: fix a net leak
2018-10-24 15:02 ` David Ahern
@ 2018-10-24 15:21 ` David Ahern
2018-10-25 18:43 ` Bjørn Mork
0 siblings, 1 reply; 5+ messages in thread
From: David Ahern @ 2018-10-24 15:21 UTC (permalink / raw)
To: David Ahern, Li RongQing, netdev, David Miller
On 10/24/18 9:02 AM, David Ahern wrote:
> On 10/24/18 3:36 AM, Li RongQing wrote:
>> put net when input a invalid ifindex, otherwise it will be leaked
>>
>> Fixes: 5fcd266a9f64("net/ipv4: Add support for dumping addresses for a specific device")
>> Cc: David Ahern <dsahern@gmail.com>
>> Signed-off-by: Zhang Yu <zhangyu31@baidu.com>
>> Signed-off-by: Li RongQing <lirongqing@baidu.com>
>> ---
>> net/ipv4/devinet.c | 4 +++-
>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
>> index 63d5b58fbfdb..fd0c5a47e742 100644
>> --- a/net/ipv4/devinet.c
>> +++ b/net/ipv4/devinet.c
>> @@ -1775,8 +1775,10 @@ static int inet_dump_ifaddr(struct sk_buff *skb, struct netlink_callback *cb)
>>
>> if (fillargs.ifindex) {
>> dev = __dev_get_by_index(tgt_net, fillargs.ifindex);
>> - if (!dev)
>> + if (!dev) {
>> + put_net(tgt_net);
>> return -ENODEV;
>> + }
>>
>> in_dev = __in_dev_get_rtnl(dev);
>> if (in_dev) {
>>
>
> Good catch. IPv6 has the same problem. Will fix that one.
>
Actually remove that 'Reviewed-by'. You should only call put_net if
(fillargs.netnsid >= 0)
DaveM: just want to call this out since I mistakenly added the
Reviewed-by. This patch should be dropped.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [net-next][PATCH] net/ipv4: fix a net leak
2018-10-24 15:21 ` David Ahern
@ 2018-10-25 18:43 ` Bjørn Mork
2018-10-25 18:46 ` David Ahern
0 siblings, 1 reply; 5+ messages in thread
From: Bjørn Mork @ 2018-10-25 18:43 UTC (permalink / raw)
To: David Ahern; +Cc: Li RongQing, netdev, David Miller
David Ahern <dsahern@gmail.com> writes:
> On 10/24/18 9:02 AM, David Ahern wrote:
>> On 10/24/18 3:36 AM, Li RongQing wrote:
>>> put net when input a invalid ifindex, otherwise it will be leaked
>>>
>>> Fixes: 5fcd266a9f64("net/ipv4: Add support for dumping addresses for a specific device")
>>> Cc: David Ahern <dsahern@gmail.com>
>>> Signed-off-by: Zhang Yu <zhangyu31@baidu.com>
>>> Signed-off-by: Li RongQing <lirongqing@baidu.com>
>>> ---
>>> net/ipv4/devinet.c | 4 +++-
>>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
>>> index 63d5b58fbfdb..fd0c5a47e742 100644
>>> --- a/net/ipv4/devinet.c
>>> +++ b/net/ipv4/devinet.c
>>> @@ -1775,8 +1775,10 @@ static int inet_dump_ifaddr(struct sk_buff *skb, struct netlink_callback *cb)
>>>
>>> if (fillargs.ifindex) {
>>> dev = __dev_get_by_index(tgt_net, fillargs.ifindex);
>>> - if (!dev)
>>> + if (!dev) {
>>> + put_net(tgt_net);
>>> return -ENODEV;
>>> + }
>>>
>>> in_dev = __in_dev_get_rtnl(dev);
>>> if (in_dev) {
>>>
>>
>> Good catch. IPv6 has the same problem. Will fix that one.
>>
> Actually remove that 'Reviewed-by'. You should only call put_net if
> (fillargs.netnsid >= 0)
>
> DaveM: just want to call this out since I mistakenly added the
> Reviewed-by. This patch should be dropped.
Hmm, I see that you implemented that. But I believe it's still buggy if
called with an invalid netnsid.
inet_valid_dump_ifaddr_req() will bail out with an error, but only
*after* setting fillargs->netnsid:
if (i == IFA_TARGET_NETNSID) {
struct net *net;
fillargs->netnsid = nla_get_s32(tb[i]);
net = rtnl_get_net_ns_capable(sk, fillargs->netnsid);
if (IS_ERR(net)) {
NL_SET_ERR_MSG(extack, "ipv4: Invalid target network namespace id");
return PTR_ERR(net);
}
*tgt_net = net;
} else {
So inet_dump_ifaddr() ends up doing put_net(tgt_net):
err = inet_valid_dump_ifaddr_req(nlh, &fillargs, &tgt_net,
skb->sk, cb);
if (err < 0)
goto put_tgt_net;
..
put_tgt_net:
if (fillargs.netnsid >= 0)
put_net(tgt_net);
I believe you should set fillargs->netnsid back to -1 in the
inet_valid_dump_ifaddr_req() error path, or use a temp variable to avoid
changing it unless get_net is successful.
Bjørn
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [net-next][PATCH] net/ipv4: fix a net leak
2018-10-25 18:43 ` Bjørn Mork
@ 2018-10-25 18:46 ` David Ahern
0 siblings, 0 replies; 5+ messages in thread
From: David Ahern @ 2018-10-25 18:46 UTC (permalink / raw)
To: Bjørn Mork; +Cc: Li RongQing, netdev, David Miller
On 10/25/18 12:43 PM, Bjørn Mork wrote:
>
> inet_valid_dump_ifaddr_req() will bail out with an error, but only
> *after* setting fillargs->netnsid:
>
> if (i == IFA_TARGET_NETNSID) {
> struct net *net;
>
> fillargs->netnsid = nla_get_s32(tb[i]);
>
> net = rtnl_get_net_ns_capable(sk, fillargs->netnsid);
> if (IS_ERR(net)) {
> NL_SET_ERR_MSG(extack, "ipv4: Invalid target network namespace id");
> return PTR_ERR(net);
> }
> *tgt_net = net;
> } else {
>
>
>
> So inet_dump_ifaddr() ends up doing put_net(tgt_net):
>
>
> err = inet_valid_dump_ifaddr_req(nlh, &fillargs, &tgt_net,
> skb->sk, cb);
> if (err < 0)
> goto put_tgt_net;
> ..
> put_tgt_net:
> if (fillargs.netnsid >= 0)
> put_net(tgt_net);
>
>
>
> I believe you should set fillargs->netnsid back to -1 in the
> inet_valid_dump_ifaddr_req() error path, or use a temp variable to avoid
> changing it unless get_net is successful.
good point. either use of an intermediate or resetting nsid on failure.
Will you send a patch to fix ipv4 and v6?
Thanks,
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-10-26 3:20 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-10-24 9:36 [net-next][PATCH] net/ipv4: fix a net leak Li RongQing
2018-10-24 15:02 ` David Ahern
2018-10-24 15:21 ` David Ahern
2018-10-25 18:43 ` Bjørn Mork
2018-10-25 18:46 ` David Ahern
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).