summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorYu Kuai <yukuai3@huawei.com>2020-11-10 02:14:43 +0100
committerSteffen Klassert <steffen.klassert@secunet.com>2020-11-10 09:14:25 +0100
commit48f486e13ffdb49fbb9b38c21d0e108ed60ab1a2 (patch)
tree9285c37baf8ff94289d9bc686b225c452a81c01f
parentMerge branch 'xfrm/compat: syzbot-found fixes' (diff)
downloadlinux-48f486e13ffdb49fbb9b38c21d0e108ed60ab1a2.tar.xz
linux-48f486e13ffdb49fbb9b38c21d0e108ed60ab1a2.zip
net: xfrm: fix memory leak in xfrm_user_policy()
if xfrm_get_translator() failed, xfrm_user_policy() return without freeing 'data', which is allocated in memdup_sockptr(). Fixes: 96392ee5a13b ("xfrm/compat: Translate 32-bit user_policy from sockptr") Reported-by: Hulk Robot <hulkci@huawei.com> Signed-off-by: Yu Kuai <yukuai3@huawei.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
-rw-r--r--net/xfrm/xfrm_state.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index a77da7aae6fe..2f1517827995 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -2382,8 +2382,10 @@ int xfrm_user_policy(struct sock *sk, int optname, sockptr_t optval, int optlen)
if (in_compat_syscall()) {
struct xfrm_translator *xtr = xfrm_get_translator();
- if (!xtr)
+ if (!xtr) {
+ kfree(data);
return -EOPNOTSUPP;
+ }
err = xtr->xlate_user_policy_sockptr(&data, optlen);
xfrm_put_translator(xtr);