| From e747f64336fc15e1c823344942923195b800aa1e Mon Sep 17 00:00:00 2001 |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| Date: Wed, 14 Jun 2017 13:35:37 +0300 |
| Subject: xfrm: NULL dereference on allocation failure |
| |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| |
| commit e747f64336fc15e1c823344942923195b800aa1e upstream. |
| |
| The default error code in pfkey_msg2xfrm_state() is -ENOBUFS. We |
| added a new call to security_xfrm_state_alloc() which sets "err" to zero |
| so there several places where we can return ERR_PTR(0) if kmalloc() |
| fails. The caller is expecting error pointers so it leads to a NULL |
| dereference. |
| |
| Fixes: df71837d5024 ("[LSM-IPSec]: Security association restriction.") |
| Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> |
| Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| net/key/af_key.c | 1 + |
| 1 file changed, 1 insertion(+) |
| |
| --- a/net/key/af_key.c |
| +++ b/net/key/af_key.c |
| @@ -1135,6 +1135,7 @@ static struct xfrm_state * pfkey_msg2xfr |
| goto out; |
| } |
| |
| + err = -ENOBUFS; |
| key = ext_hdrs[SADB_EXT_KEY_AUTH - 1]; |
| if (sa->sadb_sa_auth) { |
| int keysize = 0; |