| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20190130213542.17313-1-ramin.blackhat@gmail.com>
Date: Wed, 30 Jan 2019 21:35:42 +0000
From: Ramin Farajpour Cami <ramin.blackhat@...il.com>
To: davem@...emloft.net
Cc: herbert@...dor.apana.org.au, steffen.klassert@...unet.com,
netdev@...r.kernel.org,
Ramin Farajpour Cami <ramin.blackhat@...il.com>
Subject: [PATCH] net: esp4: Fix double free on esp4 functions
key/tmp is being kfree'd twice,once in the "aalg_desc->uinfo.auth.icv_fullbits / 8 != crypto_aead_authsize(aead)" call
to "free_key",twice When "crypto_aead_setauthsize(aead, x->aalg->alg_trunc_len / 8)" fails call to again "free_key",
Signed-off-by: Ramin Farajpour Cami <ramin.blackhat@...il.com>
---
net/ipv4/esp4.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index 5459f41fc26f..5a66e47641b0 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -467,6 +467,7 @@ int esp_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *
error_free:
kfree(tmp);
+ tmp = NULL;
error:
return err;
}
@@ -959,7 +960,7 @@ static int esp_init_authenc(struct xfrm_state *x)
free_key:
kfree(key);
-
+ key = NULL;
error:
return err;
}
--
2.11.0
Powered by blists - more mailing lists