diff options
| author | Jeremy Sowden <jeremy@azazel.net> | 2019-05-25 14:09:35 -0400 |
|---|---|---|
| committer | Steffen Klassert <steffen.klassert@secunet.com> | 2019-05-28 03:20:52 -0400 |
| commit | 7c80eb1c7e2b8420477fbc998971d62a648035d9 (patch) | |
| tree | cfb13539258bde158acd4224ffa47aa482bbf3d7 /net/key | |
| parent | b38ff4075a80b4da5cb2202d7965332ca0efb213 (diff) | |
af_key: fix leaks in key_pol_get_resp and dump_sp.
In both functions, if pfkey_xfrm_policy2msg failed we leaked the newly
allocated sk_buff. Free it on error.
Fixes: 55569ce256ce ("Fix conversion between IPSEC_MODE_xxx and XFRM_MODE_xxx.")
Reported-by: syzbot+4f0529365f7f2208d9f0@syzkaller.appspotmail.com
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Diffstat (limited to 'net/key')
| -rw-r--r-- | net/key/af_key.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/net/key/af_key.c b/net/key/af_key.c index 4af1e1d60b9f..51c0f10bb131 100644 --- a/net/key/af_key.c +++ b/net/key/af_key.c | |||
| @@ -2442,8 +2442,10 @@ static int key_pol_get_resp(struct sock *sk, struct xfrm_policy *xp, const struc | |||
| 2442 | goto out; | 2442 | goto out; |
| 2443 | } | 2443 | } |
| 2444 | err = pfkey_xfrm_policy2msg(out_skb, xp, dir); | 2444 | err = pfkey_xfrm_policy2msg(out_skb, xp, dir); |
| 2445 | if (err < 0) | 2445 | if (err < 0) { |
| 2446 | kfree_skb(out_skb); | ||
| 2446 | goto out; | 2447 | goto out; |
| 2448 | } | ||
| 2447 | 2449 | ||
| 2448 | out_hdr = (struct sadb_msg *) out_skb->data; | 2450 | out_hdr = (struct sadb_msg *) out_skb->data; |
| 2449 | out_hdr->sadb_msg_version = hdr->sadb_msg_version; | 2451 | out_hdr->sadb_msg_version = hdr->sadb_msg_version; |
| @@ -2694,8 +2696,10 @@ static int dump_sp(struct xfrm_policy *xp, int dir, int count, void *ptr) | |||
| 2694 | return PTR_ERR(out_skb); | 2696 | return PTR_ERR(out_skb); |
| 2695 | 2697 | ||
| 2696 | err = pfkey_xfrm_policy2msg(out_skb, xp, dir); | 2698 | err = pfkey_xfrm_policy2msg(out_skb, xp, dir); |
| 2697 | if (err < 0) | 2699 | if (err < 0) { |
| 2700 | kfree_skb(out_skb); | ||
| 2698 | return err; | 2701 | return err; |
| 2702 | } | ||
| 2699 | 2703 | ||
| 2700 | out_hdr = (struct sadb_msg *) out_skb->data; | 2704 | out_hdr = (struct sadb_msg *) out_skb->data; |
| 2701 | out_hdr->sadb_msg_version = pfk->dump.msg_version; | 2705 | out_hdr->sadb_msg_version = pfk->dump.msg_version; |