xfrm: Reset secpath in xfrm failure

In esp4_gro_receive() and esp6_gro_receive(), secpath can be allocated
without adding xfrm state to xvec. Then, sp->xvec[sp->len - 1] would
fail and result in dereferencing invalid pointer in esp4_gso_segment()
and esp6_gso_segment(). Reset secpath if xfrm function returns error.

Fixes: 7785bba299a8 ("esp: Add a software GRO codepath")
Reported-by: syzbot+b69368fd933c6c592f4c@syzkaller.appspotmail.com
Signed-off-by: Myungho Jung <mhjungk@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

1 files changed, 5 insertions, 3 deletions

diff --git a/net/ipv6/esp6_offload.c b/net/ipv6/esp6_offload.c
index d46b4eb645c2..cb99f6fb79b7 100644
--- a/net/ipv6/esp6_offload.c
+++ b/net/ipv6/esp6_offload.c
@@ -74,13 +74,13 @@ static struct sk_buff *esp6_gro_receive(struct list_head *head,
                         goto out;
 
                 if (sp->len == XFRM_MAX_DEPTH)
-                        goto out;
+                        goto out_reset;
 
                 x = xfrm_state_lookup(dev_net(skb->dev), skb->mark,
                                       (xfrm_address_t *)&ipv6_hdr(skb)->daddr,
                                       spi, IPPROTO_ESP, AF_INET6);
                 if (!x)
-                        goto out;
+                        goto out_reset;
 
                 sp->xvec[sp->len++] = x;
                 sp->olen++;
@@ -88,7 +88,7 @@ static struct sk_buff *esp6_gro_receive(struct list_head *head,
                 xo = xfrm_offload(skb);
                 if (!xo) {
                         xfrm_state_put(x);
-                        goto out;
+                        goto out_reset;
                 }
         }
 
@@ -109,6 +109,8 @@ static struct sk_buff *esp6_gro_receive(struct list_head *head,
         xfrm_input(skb, IPPROTO_ESP, spi, -2);
 
         return ERR_PTR(-EINPROGRESS);
+out_reset:
+        secpath_reset(skb);
 out:
         skb_push(skb, offset);
         NAPI_GRO_CB(skb)->same_flow = 0;