• Cong Wang's avatar
    ipv6: fix memory leaks on IPV6_ADDRFORM path · 86e4cc08
    Cong Wang authored
    [ Upstream commit 8c0de6e9 ]
    
    IPV6_ADDRFORM causes resource leaks when converting an IPv6 socket
    to IPv4, particularly struct ipv6_ac_socklist. Similar to
    struct ipv6_mc_socklist, we should just close it on this path.
    
    This bug can be easily reproduced with the following C program:
    
      #include <stdio.h>
      #include <string.h>
      #include <sys/types.h>
      #include <sys/socket.h>
      #include <arpa/inet.h>
    
      int main()
      {
        int s, value;
        struct sockaddr_in6 addr;
        struct ipv6_mreq m6;
    
        s = socket(AF_INET6, SOCK_DGRAM, 0);
        addr.sin6_family = AF_INET6;
        addr.sin6_port = htons(5000);
        inet_pton(AF_INET6, "::ffff:192.168.122.194", &addr.sin6_addr);
        connect(s, (struct sockaddr *)&addr, sizeof(addr));
    
        inet_pton(AF_INET6, "fe80::AAAA", &m6.ipv6mr_multiaddr);
        m6.ipv6mr_interface = 5;
        setsockopt(s, SOL_IPV6, IPV6_JOIN_ANYCAST, &m6, sizeof(m6));
    
        value = AF_INET;
        setsockopt(s, SOL_IPV6, IPV6_ADDRFORM, &value, sizeof(value));
    
        close(s);
        return 0;
      }
    
    Reported-by: ch3332xr@gmail.com
    Fixes: 1da177e4 ("Linux-2.6.12-rc2")
    Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    86e4cc08
ipv6_sockglue.c 29.9 KB