netfilter: ipv6: fix afinfo->route refcnt leak on error

Several callers (h323 conntrack, xt_addrtype) assume that the
returned **dst only needs to be released if the function returns 0.

This is true for the ipv4 implementation, but not for the ipv6 one.

Instead of changing the users, change the ipv6 implementation
to behave like the ipv4 version by only providing the dst_entry result
in the success case.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index 30fcee465448618b326f8cb9172deeadfc055e62..8992cf6651d47da90de5d3c76832672de50f547c 100644 (file)
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -100,9 +100,16 @@ static int nf_ip6_route(struct net *net, struct dst_entry **dst,
                .pinet6 = (struct ipv6_pinfo *) &fake_pinfo,
        };
        const void *sk = strict ? &fake_sk : NULL;
-
-       *dst = ip6_route_output(net, sk, &fl->u.ip6);
-       return (*dst)->error;
+       struct dst_entry *result;
+       int err;
+
+       result = ip6_route_output(net, sk, &fl->u.ip6);
+       err = result->error;
+       if (err)
+               dst_release(result);
+       else
+               *dst = result;
+       return err;
 }
 
 __sum16 nf_ip6_checksum(struct sk_buff *skb, unsigned int hook,