Skip to content

Commit

Permalink
[IPV6]: Fix dangling references on error in fib6_add().
Browse files Browse the repository at this point in the history 
Fixes bugzilla #8895

If a super-tree leaf has 'rt' assigned to it and we
get an error from fib6_add_rt2node(), we'll leave
a reference to 'rt' in pn->leaf and then do an
unconditional dst_free().

We should prune such references.

Based upon a report by Vincent Perrier.

Signed-off-by: David S. Miller <davem@davemloft.net>
  • Loading branch information
David S. Miller committed Apr 18, 2008
1 parent 1e42198 commit 3c05123
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions net/ipv6/ip6_fib.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -772,6 +772,10 @@ int fib6_add(struct fib6_node *root, struct rt6_info *rt, struct nl_info *info)
* If fib6_add_1 has cleared the old leaf pointer in the
* super-tree leaf node we have to find a new one for it.
*/
if (pn != fn && pn->leaf == rt) {
pn->leaf = NULL;
atomic_dec(&rt->rt6i_ref);
}
if (pn != fn && !pn->leaf && !(pn->fn_flags & RTN_RTINFO)) {
pn->leaf = fib6_find_prefix(info->nl_net, pn);
#if RT6_DEBUG >= 2
Expand Down

0 comments on commit 3c05123

Please sign in to comment.