master

分支 (27)

标签 (22)

管理

管理

master

openEuler-24.03-LTS

openEuler-24.03-LTS-SP1

openEuler-24.03-LTS-Next

openEuler-24.03-LTS-SP2

openEuler-25.03

openEuler-24.09

openEuler-22.03-LTS-SP3

openEuler-22.03-LTS-Next

openEuler-22.03-LTS-SP4

openEuler-22.03-LTS-SP2

openEuler-22.03-LTS-SP1

openEuler-23.09

openEuler-22.03-LTS

openEuler-23.03

openEuler-20.03-LTS-SP1

openEuler-22.09

openEuler-20.03-LTS

openEuler-20.03-LTS-Next

openEuler-20.03-LTS-SP2

openEuler-25.03-release

openEuler-24.03-LTS-SP1-release

openEuler-22.03-LTS-SP4-release

openEuler-24.09-release

openEuler-24.03-LTS-release

openEuler-22.03-LTS-SP3-release

openEuler-23.09-rc5

openEuler-22.03-LTS-SP1-release

openEuler-22.09-release

openEuler-22.09-rc5

openEuler-22.09-20220829

openEuler-22.03-LTS-20220331

openEuler-22.03-LTS-round5

openEuler-22.03-LTS-round3

openEuler-22.03-LTS-round2

openEuler-22.03-LTS-round1

openEuler-20.03-LTS-SP3-release

openEuler-20.03-LTS-SP2-20210624

openEuler-21.03-20210330

openEuler-20.09-20200929

libnl3
/
backport-fix-reference-counters-of-sa...

From c4c22d267117900b9582d5c2e934c107419c9603 Mon Sep 17 00:00:00 2001
From: Thomas Egerer <thomas.egerer@secunet.com>
Date: Mon, 27 Nov 2023 15:58:19 +0100
Subject: [PATCH] xfrm/sp: fix reference counters of sa selector/tmpl addresses

It's a similar issue as in commit 3f4f1dda, when calling
xfrmnl_sp_parse, the refcount of the addresses for selectors and
templates increases to two, as xfrmnl_sel_set_[s|d]addr and
xfrmnl_user_tmpl_set_[s|d]addr add another reference to the address
object. As only one of those refs is dropped in sel_destroy or
xfrmnl_user_tmpl_free respectively the address objects' refcount
will never drop to zero, causing a leak.

Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>

Fixes: 917154470895 ('xfrm: add xfrm support')

Conflict:NA
Reference:https://github.com/thom311/libnl/commit/c4c22d267117900b9582d5c2e934c107419c9603

---
 lib/xfrm/sp.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/lib/xfrm/sp.c b/lib/xfrm/sp.c
index ab7cf89..d38daef 100644
--- a/lib/xfrm/sp.c
+++ b/lib/xfrm/sp.c
@@ -563,6 +563,8 @@ int xfrmnl_sp_parse(struct nlmsghdr *n, struct xfrmnl_sp **result)
 		addr    = nl_addr_build (sp_info->sel.family, &sp_info->sel.daddr.a6, sizeof (sp_info->sel.daddr.a6));
 	nl_addr_set_prefixlen (addr, sp_info->sel.prefixlen_d);
 	xfrmnl_sel_set_daddr (sp->sel, addr);
+	/* Drop the reference count from the above set operation */
+	nl_addr_put(addr);
 	xfrmnl_sel_set_prefixlen_d (sp->sel, sp_info->sel.prefixlen_d);

 	if (sp_info->sel.family == AF_INET)
@@ -571,6 +573,8 @@ int xfrmnl_sp_parse(struct nlmsghdr *n, struct xfrmnl_sp **result)
 		addr    = nl_addr_build (sp_info->sel.family, &sp_info->sel.saddr.a6, sizeof (sp_info->sel.saddr.a6));
 	nl_addr_set_prefixlen (addr, sp_info->sel.prefixlen_s);
 	xfrmnl_sel_set_saddr (sp->sel, addr);
+	/* Drop the reference count from the above set operation */
+	nl_addr_put(addr);
 	xfrmnl_sel_set_prefixlen_s (sp->sel, sp_info->sel.prefixlen_s);

 	xfrmnl_sel_set_dport (sp->sel, ntohs (sp_info->sel.dport));
@@ -647,6 +651,8 @@ int xfrmnl_sp_parse(struct nlmsghdr *n, struct xfrmnl_sp **result)
 			else
 				addr = nl_addr_build(tmpl->family, &tmpl->id.daddr.a6, sizeof (tmpl->id.daddr.a6));
 			xfrmnl_user_tmpl_set_daddr (sputmpl, addr);
+			/* Drop the reference count from the above set operation */
+			nl_addr_put(addr);
 			xfrmnl_user_tmpl_set_spi (sputmpl, ntohl(tmpl->id.spi));
 			xfrmnl_user_tmpl_set_proto (sputmpl, tmpl->id.proto);
 			xfrmnl_user_tmpl_set_family (sputmpl, tmpl->family);
@@ -656,6 +662,8 @@ int xfrmnl_sp_parse(struct nlmsghdr *n, struct xfrmnl_sp **result)
 			else
 				addr = nl_addr_build(tmpl->family, &tmpl->saddr.a6, sizeof (tmpl->saddr.a6));
 			xfrmnl_user_tmpl_set_saddr (sputmpl, addr);
+			/* Drop the reference count from the above set operation */
+			nl_addr_put(addr);

 			xfrmnl_user_tmpl_set_reqid (sputmpl, tmpl->reqid);
 			xfrmnl_user_tmpl_set_mode (sputmpl, tmpl->mode);
--
2.33.0