diff options
| author | David S. Miller <davem@davemloft.net> | 2008-04-18 04:46:19 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2008-04-18 04:46:19 -0400 |
| commit | 3c051235a7f115c34e675c9cf55820bd3435f860 (patch) | |
| tree | 85fd6bf395a8bf5934bd278f6354b1e94110a51f | |
| parent | 1e42198609d73ed1a9adcba2af275c24c2678420 (diff) | |
[IPV6]: Fix dangling references on error in fib6_add().
Fixes bugzilla #8895
If a super-tree leaf has 'rt' assigned to it and we
get an error from fib6_add_rt2node(), we'll leave
a reference to 'rt' in pn->leaf and then do an
unconditional dst_free().
We should prune such references.
Based upon a report by Vincent Perrier.
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | net/ipv6/ip6_fib.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c index b3f6e03c454c..50f3f8f8a59b 100644 --- a/net/ipv6/ip6_fib.c +++ b/net/ipv6/ip6_fib.c | |||
| @@ -772,6 +772,10 @@ out: | |||
| 772 | * If fib6_add_1 has cleared the old leaf pointer in the | 772 | * If fib6_add_1 has cleared the old leaf pointer in the |
| 773 | * super-tree leaf node we have to find a new one for it. | 773 | * super-tree leaf node we have to find a new one for it. |
| 774 | */ | 774 | */ |
| 775 | if (pn != fn && pn->leaf == rt) { | ||
| 776 | pn->leaf = NULL; | ||
| 777 | atomic_dec(&rt->rt6i_ref); | ||
| 778 | } | ||
| 775 | if (pn != fn && !pn->leaf && !(pn->fn_flags & RTN_RTINFO)) { | 779 | if (pn != fn && !pn->leaf && !(pn->fn_flags & RTN_RTINFO)) { |
| 776 | pn->leaf = fib6_find_prefix(info->nl_net, pn); | 780 | pn->leaf = fib6_find_prefix(info->nl_net, pn); |
| 777 | #if RT6_DEBUG >= 2 | 781 | #if RT6_DEBUG >= 2 |