Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 54302094 authored by Dan Carpenter's avatar Dan Carpenter Committed by Casey Schaufler
Browse files

Smack: freeing an error pointer in smk_write_revoke_subj() 



This code used to rely on the fact that kfree(NULL) was a no-op, but
then we changed smk_parse_smack() to return error pointers on failure
instead of NULL.  Calling kfree() on an error pointer will oops.

I have re-arranged things a bit so that we only free things if they
have been allocated.

Fixes: e774ad68 ('smack: pass error code through pointers')
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
parent c0d77c88

security/smack/smackfs.c

+9 −7
Original line number Diff line number Diff line
@@ -2253,8 +2253,8 @@ static const struct file_operations smk_access2_ops = { 
static ssize_t smk_write_revoke_subj(struct file *file, const char __user *buf,

				size_t count, loff_t *ppos)

{

	char *data = NULL;

	const char *cp = NULL;

	char *data;

	const char *cp;

	struct smack_known *skp;

	struct smack_rule *sp;

	struct list_head *rule_list;
@@ -2276,18 +2276,18 @@ static ssize_t smk_write_revoke_subj(struct file *file, const char __user *buf, 


	if (copy_from_user(data, buf, count) != 0) {

		rc = -EFAULT;

		goto free_out;

		goto out_data;

	}



	cp = smk_parse_smack(data, count);

	if (IS_ERR(cp)) {

		rc = PTR_ERR(cp);

		goto free_out;

		goto out_data;

	}



	skp = smk_find_entry(cp);

	if (skp == NULL)

		goto free_out;

		goto out_cp;



	rule_list = &skp->smk_rules;

	rule_lock = &skp->smk_rules_lock;
@@ -2299,9 +2299,11 @@ static ssize_t smk_write_revoke_subj(struct file *file, const char __user *buf, 


	mutex_unlock(rule_lock);



free_out:

	kfree(data);

out_cp:

	kfree(cp);

out_data:

	kfree(data);



	return rc;

}