diff options
| author | Steffen Klassert <steffen.klassert@secunet.com> | 2018-05-31 03:45:18 -0400 |
|---|---|---|
| committer | Steffen Klassert <steffen.klassert@secunet.com> | 2018-05-31 03:53:04 -0400 |
| commit | 38369f54d97dd7dc50c73a2797bfeb53c2e87d2d (patch) | |
| tree | 10f9850a7f5f795165a4fd7d833261c0d8f8f7e3 | |
| parent | d9f92772e8ec388d070752ee8f187ef8fa18621f (diff) | |
xfrm Fix potential error pointer dereference in xfrm_bundle_create.
We may derference an invalid pointer in the error path of
xfrm_bundle_create(). Fix this by returning this error
pointer directly instead of assigning it to xdst0.
Fixes: 45b018beddb6 ("ipsec: Create and use new helpers for dst child access.")
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
| -rw-r--r-- | net/xfrm/xfrm_policy.c | 5 |
1 files changed, 2 insertions, 3 deletions
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 40b54cc64243..5f48251c1319 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c | |||
| @@ -1658,7 +1658,6 @@ static struct dst_entry *xfrm_bundle_create(struct xfrm_policy *policy, | |||
| 1658 | trailer_len -= xdst_prev->u.dst.xfrm->props.trailer_len; | 1658 | trailer_len -= xdst_prev->u.dst.xfrm->props.trailer_len; |
| 1659 | } | 1659 | } |
| 1660 | 1660 | ||
| 1661 | out: | ||
| 1662 | return &xdst0->u.dst; | 1661 | return &xdst0->u.dst; |
| 1663 | 1662 | ||
| 1664 | put_states: | 1663 | put_states: |
| @@ -1667,8 +1666,8 @@ put_states: | |||
| 1667 | free_dst: | 1666 | free_dst: |
| 1668 | if (xdst0) | 1667 | if (xdst0) |
| 1669 | dst_release_immediate(&xdst0->u.dst); | 1668 | dst_release_immediate(&xdst0->u.dst); |
| 1670 | xdst0 = ERR_PTR(err); | 1669 | |
| 1671 | goto out; | 1670 | return ERR_PTR(err); |
| 1672 | } | 1671 | } |
| 1673 | 1672 | ||
| 1674 | static int xfrm_expand_policies(const struct flowi *fl, u16 family, | 1673 | static int xfrm_expand_policies(const struct flowi *fl, u16 family, |