inet_diag: Fix error path to cancel the meseage in inet_req_diag_fill()

nlmsg_cancel() needs to be called in the error path of
inet_req_diag_fill to cancel the message.

Fixes: d545caca827b ("net: inet: diag: expose the socket mark to privileged processes.")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Wang Hai <wanghai38@huawei.com>
Link: https://lore.kernel.org/r/20201116082018.16496-1-wanghai38@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
index 366a450..93474b1 100644 (file)
--- a/net/ipv4/inet_diag.c
+++ b/net/ipv4/inet_diag.c
@@ -479,8 +479,10 @@ static int inet_req_diag_fill(struct sock *sk, struct sk_buff *skb,
        r->idiag_inode  = 0;
 
        if (net_admin && nla_put_u32(skb, INET_DIAG_MARK,
-                                    inet_rsk(reqsk)->ir_mark))
+                                    inet_rsk(reqsk)->ir_mark)) {
+               nlmsg_cancel(skb, nlh);
                return -EMSGSIZE;
+       }
 
        nlmsg_end(skb, nlh);
        return 0;