net: xfrm: fix memory leak in xfrm_user_policy()

if xfrm_get_translator() failed, xfrm_user_policy() return without freeing 'data', which is allocated in memdup_sockptr(). Fixes: 96392ee5 ("xfrm/compat: Translate 32-bit user_policy from sockptr") Reported-by: N Hulk Robot <hulkci@huawei.com> Signed-off-by: N Yu Kuai <yukuai3@huawei.com> Signed-off-by: N Steffen Klassert <steffen.klassert@secunet.com>

net: xfrm: fix memory leak in xfrm_user_policy()
if xfrm_get_translator() failed, xfrm_user_policy() return without freeing 'data', which is allocated in memdup_sockptr(). Fixes: 96392ee5 ("xfrm/compat: Translate 32-bit user_policy from sockptr") Reported-by: N Hulk Robot <hulkci@huawei.com> Signed-off-by: N Yu Kuai <yukuai3@huawei.com> Signed-off-by: N Steffen Klassert <steffen.klassert@secunet.com>
48f486e1 · Yu Kuai · Steffen Klassert · bc0230b6 · 48f486e1
隐藏空白更改
内联并排

Showing with 3 addition and 1 deletion

net/xfrm/xfrm_state.c net/xfrm/xfrm_state.c +3 -1

未找到文件。
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -2382,8 +2382,10 @@ int xfrm_user_policy(struct sock *sk, int optname, sockptr_t optval, int optlen)
 	if (in_compat_syscall()) {
 		struct xfrm_translator *xtr = xfrm_get_translator();

-		if (!xtr)
+		if (!xtr) {
+			kfree(data);
 			return -EOPNOTSUPP;
+		}

 		err = xtr->xlate_user_policy_sockptr(&data, optlen);
 		xfrm_put_translator(xtr);