summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSteffen Klassert <steffen.klassert@secunet.com>2018-05-31 09:45:18 +0200
committerSteffen Klassert <steffen.klassert@secunet.com>2018-05-31 09:53:04 +0200
commit38369f54d97dd7dc50c73a2797bfeb53c2e87d2d (patch)
tree10f9850a7f5f795165a4fd7d833261c0d8f8f7e3
parentxfrm6: avoid potential infinite loop in _decode_session6() (diff)
downloadlinux-38369f54d97dd7dc50c73a2797bfeb53c2e87d2d.tar.xz
linux-38369f54d97dd7dc50c73a2797bfeb53c2e87d2d.zip
xfrm Fix potential error pointer dereference in xfrm_bundle_create.
We may derference an invalid pointer in the error path of xfrm_bundle_create(). Fix this by returning this error pointer directly instead of assigning it to xdst0. Fixes: 45b018beddb6 ("ipsec: Create and use new helpers for dst child access.") Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
-rw-r--r--net/xfrm/xfrm_policy.c5
1 files changed, 2 insertions, 3 deletions
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 40b54cc64243..5f48251c1319 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1658,7 +1658,6 @@ static struct dst_entry *xfrm_bundle_create(struct xfrm_policy *policy,
trailer_len -= xdst_prev->u.dst.xfrm->props.trailer_len;
}
-out:
return &xdst0->u.dst;
put_states:
@@ -1667,8 +1666,8 @@ put_states:
free_dst:
if (xdst0)
dst_release_immediate(&xdst0->u.dst);
- xdst0 = ERR_PTR(err);
- goto out;
+
+ return ERR_PTR(err);
}
static int xfrm_expand_policies(const struct flowi *fl, u16 family,