af_key: fix leaks in key_pol_get_resp and dump_sp. [Linux 4.9.187]

This Linux kernel change "af_key: fix leaks in key_pol_get_resp and dump_sp" is included in the Linux 4.9.187 release. This change is authored by Jeremy Sowden <jeremy [at] azazel.net> on Sat May 25 19:09:35 2019 +0100. The commit for this change in Linux stable tree is f76107c (patch) which is from upstream commit 7c80eb1. The same Linux upstream change may have been applied to various maintained Linux releases and you can find all Linux releases containing changes from upstream 7c80eb1.

af_key: fix leaks in key_pol_get_resp and dump_sp.

[ Upstream commit 7c80eb1c7e2b8420477fbc998971d62a648035d9 ]

In both functions, if pfkey_xfrm_policy2msg failed we leaked the newly
allocated sk_buff.  Free it on error.

Fixes: 55569ce256ce ("Fix conversion between IPSEC_MODE_xxx and XFRM_MODE_xxx.")
Reported-by: syzbot+4f0529365f7f2208d9f0@syzkaller.appspotmail.com
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

There are 8 lines of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.

 net/key/af_key.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/net/key/af_key.c b/net/key/af_key.c
index 3ba903f..36db179 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -2463,8 +2463,10 @@ static int key_pol_get_resp(struct sock *sk, struct xfrm_policy *xp, const struc
        goto out;
    }
    err = pfkey_xfrm_policy2msg(out_skb, xp, dir);
-   if (err < 0)
+   if (err < 0) {
+       kfree_skb(out_skb);
        goto out;
+   }

    out_hdr = (struct sadb_msg *) out_skb->data;
    out_hdr->sadb_msg_version = hdr->sadb_msg_version;
@@ -2717,8 +2719,10 @@ static int dump_sp(struct xfrm_policy *xp, int dir, int count, void *ptr)
        return PTR_ERR(out_skb);

    err = pfkey_xfrm_policy2msg(out_skb, xp, dir);
-   if (err < 0)
+   if (err < 0) {
+       kfree_skb(out_skb);
        return err;
+   }

    out_hdr = (struct sadb_msg *) out_skb->data;
    out_hdr->sadb_msg_version = pfk->dump.msg_version;

Leave a Reply

Your email address will not be published. Required fields are marked *