From: David S. Miller <davem@davemloft.net>
Date: Mon, 5 Jun 2017 01:41:10 +0000 (-0400)
Subject: ipv6: Fix leak in ipv6_gso_segment().
X-Git-Tag: archive/raspbian/4.15.4-1+rpi1~1^2^2^2^2^2^2^2^2^2^2^2~36
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=b4f9f8af321b970f5396ef1eadbe4c3d8785e76b;p=linux.git

ipv6: Fix leak in ipv6_gso_segment().

If ip6_find_1stfragopt() fails and we return an error we have to free
up 'segs' because nobody else is going to.

Fixes: 2423496af35d ("ipv6: Prevent overrun when parsing v6 header options")
Reported-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>

Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name ipv6-fix-leak-in-ipv6_gso_segment.patch
---

diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c
index 013086b248e..424fbe1f897 100644
--- a/net/ipv6/ip6_offload.c
+++ b/net/ipv6/ip6_offload.c
@@ -116,8 +116,10 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb,
 
 		if (udpfrag) {
 			int err = ip6_find_1stfragopt(skb, &prevhdr);
-			if (err < 0)
+			if (err < 0) {
+				kfree_skb_list(segs);
 				return ERR_PTR(err);
+			}
 			fptr = (struct frag_hdr *)((u8 *)ipv6h + err);
 			fptr->frag_off = htons(offset);
 			if (skb->next)