Skip to content

Commit

Permalink
xfrm: NULL dereference on allocation failure
Browse files Browse the repository at this point in the history 
The default error code in pfkey_msg2xfrm_state() is -ENOBUFS.  We
added a new call to security_xfrm_state_alloc() which sets "err" to zero
so there several places where we can return ERR_PTR(0) if kmalloc()
fails.  The caller is expecting error pointers so it leads to a NULL
dereference.

Fixes: df71837 ("[LSM-IPSec]: Security association restriction.")
Signed-off-by: Dan Carpenter <[email protected]>
Signed-off-by: Steffen Klassert <[email protected]>
  • Loading branch information
@klassert
Dan Carpenter authored and klassert committed Jun 14, 2017
1 parent 1e3d0c2 commit e747f64
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions net/key/af_key.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1157,6 +1157,7 @@ static struct xfrm_state * pfkey_msg2xfrm_state(struct net *net,
goto out;
}

err = -ENOBUFS;
key = ext_hdrs[SADB_EXT_KEY_AUTH - 1];
if (sa->sadb_sa_auth) {
int keysize = 0;
Expand Down

0 comments on commit e747f64

Please sign in to comment.