Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 38369f54 authored by Steffen Klassert's avatar Steffen Klassert
Browse files

xfrm Fix potential error pointer dereference in xfrm_bundle_create. 



We may derference an invalid pointer in the error path of
xfrm_bundle_create(). Fix this by returning this error
pointer directly instead of assigning it to xdst0.

Fixes: 45b018be ("ipsec: Create and use new helpers for dst child access.")
Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
parent d9f92772

net/xfrm/xfrm_policy.c

+2 −3
Original line number Original line Diff line number Diff line
@@ -1658,7 +1658,6 @@ static struct dst_entry *xfrm_bundle_create(struct xfrm_policy *policy, 
		trailer_len -= xdst_prev->u.dst.xfrm->props.trailer_len;

		trailer_len -= xdst_prev->u.dst.xfrm->props.trailer_len;

	}

	}





out:

	return &xdst0->u.dst;

	return &xdst0->u.dst;





put_states:

put_states:
@@ -1667,8 +1666,8 @@ static struct dst_entry *xfrm_bundle_create(struct xfrm_policy *policy, 
free_dst:

free_dst:

	if (xdst0)

	if (xdst0)

		dst_release_immediate(&xdst0->u.dst);

		dst_release_immediate(&xdst0->u.dst);

	xdst0 = ERR_PTR(err);



	goto out;

	return ERR_PTR(err);

}

}





static int xfrm_expand_policies(const struct flowi *fl, u16 family,

static int xfrm_expand_policies(const struct flowi *fl, u16 family,