Bug #347

Description

Commit f2c31e32b378 (net: fix NULL dereferences in check_peer_redir() )
added a regression in rt6_fill_node(), leading to rcu_read_lock()
imbalance.

Thats because NLA_PUT() can make a jump to nla_put_failure label.

Fix this by using nla_put()

Many thanks to Ben Greear for his help

Reported-by: Ben Greear greearb@candelatech.com
Reported-by: Dave Jones davej@redhat.com
Signed-off-by: Eric Dumazet eric.dumazet@gmail.com
—
net/ipv6/route.c | 8 **–
1 file changed, 6 insertions(+), 2 deletions(-)

diff –git a/net/ipv6/route.c b/net/ipv6/route.c
index 24c456e..496b627 100644
— a/net/ipv6/route.c
**+ b/net/ipv6/route.c
@ -2474,8 +2474,12@ static int rt6_fill_node(struct net *net,

rcu_read_lock();
n = dst_get_neighbour_noref(&rt->dst);
- if (n)
- NLA_PUT(skb, RTA_GATEWAY, 16, &n->primary_key);
+ if (n) {
+ if (nla_put(skb, RTA_GATEWAY, 16, &n->primary_key) < 0) {
+ rcu_read_unlock();
+ goto nla_put_failure;
+ }
+ }
rcu_read_unlock();

if (rt->dst.dev)