xfrm: NULL dereference on allocation failure

Dan Carpenter · gregkh · commit ac78351c96e8 · 2017-07-05T14:37:21.000+02:00
commit e747f64336fc15e1c823344942923195b800aa1e upstream. The default error code in pfkey_msg2xfrm_state() is -ENOBUFS. We added a new call to security_xfrm_state_alloc() which sets "err" to zero so there several places where we can return ERR_PTR(0) if kmalloc() fails. The caller is expecting error pointers so it leads to a NULL dereference. Fixes: df71837 ("[LSM-IPSec]: Security association restriction.") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/net/key/af_key.c b/net/key/af_key.c
@@ -1135,6 +1135,7 @@ static struct xfrm_state * pfkey_msg2xfrm_state(struct net *net,
 			goto out;
 	}
 
+	err = -ENOBUFS;
 	key = ext_hdrs[SADB_EXT_KEY_AUTH - 1];
 	if (sa->sadb_sa_auth) {
 		int keysize = 0;

Original file line number	Diff line number	Diff line change
`@@ -1135,6 +1135,7 @@ static struct xfrm_state * pfkey_msg2xfrm_state(struct net *net,`
`1135`	`1135`	`goto out;`
`1136`	`1136`	`}`
`1137`	`1137`
	`1138`	`+ err = -ENOBUFS;`
`1138`	`1139`	`key = ext_hdrs[SADB_EXT_KEY_AUTH - 1];`
`1139`	`1140`	`if (sa->sadb_sa_auth) {`
`1140`	`1141`	`int keysize = 0;`