[PATCH 4.14 138/209] tipc: fix skb may be leaky in tipc_link_input

From: Greg Kroah-Hartman
Date: Wed Dec 04 2019 - 13:06:51 EST


From: Hoang Le <hoang.h.le@xxxxxxxxxxxxxx>

[ Upstream commit 7384b538d3aed2ed49d3575483d17aeee790fb06 ]

When we free skb at tipc_data_input, we return a 'false' boolean.
Then, skb passed to subcalling tipc_link_input in tipc_link_rcv,

<snip>
1303 int tipc_link_rcv:
...
1354 if (!tipc_data_input(l, skb, l->inputq))
1355 rc |= tipc_link_input(l, skb, l->inputq);
</snip>

Fix it by simple changing to a 'true' boolean when skb is being free-ed.
Then, tipc_link_rcv will bypassed to subcalling tipc_link_input as above
condition.

Acked-by: Ying Xue <ying.xue@xxxxxxxxxxxxx>
Acked-by: Jon Maloy <maloy@xxxxxxxxxxx>
Signed-off-by: Hoang Le <hoang.h.le@xxxxxxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
---
net/tipc/link.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/tipc/link.c b/net/tipc/link.c
index 631bfc7e9127e..da749916faac4 100644
--- a/net/tipc/link.c
+++ b/net/tipc/link.c
@@ -1073,7 +1073,7 @@ static bool tipc_data_input(struct tipc_link *l, struct sk_buff *skb,
default:
pr_warn("Dropping received illegal msg type\n");
kfree_skb(skb);
- return false;
+ return true;
};
}

--
2.20.1