Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 553f9118 authored by Herbert Xu's avatar Herbert Xu Committed by David S. Miller
Browse files

xfrm: Fix xfrm_state_clone leak 



xfrm_state_clone calls kfree instead of xfrm_state_put to free
a failed state.  Depending on the state of the failed state, it
can cause leaks to things like module references.

All states should be freed by xfrm_state_put past the point of
xfrm_init_state.

Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 10e7454e

net/xfrm/xfrm_state.c

+3 −9
Original line number Diff line number Diff line
@@ -1102,7 +1102,7 @@ static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig, int *errp) 
	int err = -ENOMEM;

	struct xfrm_state *x = xfrm_state_alloc(net);

	if (!x)

		goto error;

		goto out;



	memcpy(&x->id, &orig->id, sizeof(x->id));

	memcpy(&x->sel, &orig->sel, sizeof(x->sel));
@@ -1160,16 +1160,10 @@ static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig, int *errp) 
	return x;



 error:

	xfrm_state_put(x);

out:

	if (errp)

		*errp = err;

	if (x) {

		kfree(x->aalg);

		kfree(x->ealg);

		kfree(x->calg);

		kfree(x->encap);

		kfree(x->coaddr);

	}

	kfree(x);

	return NULL;

}