| From 1e3d0c2c70cd3edb5deed186c5f5c75f2b84a633 Mon Sep 17 00:00:00 2001 |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| Date: Wed, 14 Jun 2017 13:34:05 +0300 |
| Subject: xfrm: Oops on error in pfkey_msg2xfrm_state() |
| |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| |
| commit 1e3d0c2c70cd3edb5deed186c5f5c75f2b84a633 upstream. |
| |
| There are some missing error codes here so we accidentally return NULL |
| instead of an error pointer. It results in a NULL pointer dereference. |
| |
| Fixes: df71837d5024 ("[LSM-IPSec]: Security association restriction.") |
| Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> |
| Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| net/key/af_key.c | 16 ++++++++++++---- |
| 1 file changed, 12 insertions(+), 4 deletions(-) |
| |
| --- a/net/key/af_key.c |
| +++ b/net/key/af_key.c |
| @@ -1147,8 +1147,10 @@ static struct xfrm_state * pfkey_msg2xfr |
| if (key) |
| keysize = (key->sadb_key_bits + 7) / 8; |
| x->aalg = kmalloc(sizeof(*x->aalg) + keysize, GFP_KERNEL); |
| - if (!x->aalg) |
| + if (!x->aalg) { |
| + err = -ENOMEM; |
| goto out; |
| + } |
| strcpy(x->aalg->alg_name, a->name); |
| x->aalg->alg_key_len = 0; |
| if (key) { |
| @@ -1167,8 +1169,10 @@ static struct xfrm_state * pfkey_msg2xfr |
| goto out; |
| } |
| x->calg = kmalloc(sizeof(*x->calg), GFP_KERNEL); |
| - if (!x->calg) |
| + if (!x->calg) { |
| + err = -ENOMEM; |
| goto out; |
| + } |
| strcpy(x->calg->alg_name, a->name); |
| x->props.calgo = sa->sadb_sa_encrypt; |
| } else { |
| @@ -1182,8 +1186,10 @@ static struct xfrm_state * pfkey_msg2xfr |
| if (key) |
| keysize = (key->sadb_key_bits + 7) / 8; |
| x->ealg = kmalloc(sizeof(*x->ealg) + keysize, GFP_KERNEL); |
| - if (!x->ealg) |
| + if (!x->ealg) { |
| + err = -ENOMEM; |
| goto out; |
| + } |
| strcpy(x->ealg->alg_name, a->name); |
| x->ealg->alg_key_len = 0; |
| if (key) { |
| @@ -1227,8 +1233,10 @@ static struct xfrm_state * pfkey_msg2xfr |
| struct xfrm_encap_tmpl *natt; |
| |
| x->encap = kmalloc(sizeof(*x->encap), GFP_KERNEL); |
| - if (!x->encap) |
| + if (!x->encap) { |
| + err = -ENOMEM; |
| goto out; |
| + } |
| |
| natt = x->encap; |
| n_type = ext_hdrs[SADB_X_EXT_NAT_T_TYPE-1]; |