lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <1556137087-25814-1-git-send-email-wang6495@umn.edu>
Date:   Wed, 24 Apr 2019 15:18:07 -0500
From:   Wenwen Wang <wang6495@....edu>
To:     Wenwen Wang <wang6495@....edu>
Cc:     Boris Pismenny <borisp@...lanox.com>,
        Aviad Yehezkel <aviadye@...lanox.com>,
        Dave Watson <davejwatson@...com>,
        John Fastabend <john.fastabend@...il.com>,
        Daniel Borkmann <daniel@...earbox.net>,
        "David S. Miller" <davem@...emloft.net>,
        netdev@...r.kernel.org (open list:NETWORKING [TLS]),
        linux-kernel@...r.kernel.org (open list)
Subject: [PATCH] net: tls: fix a memory leak bug

In decrypt_internal(), a memory block 'mem' is allocated through kmalloc()
to hold aead_req, sgin[], sgout[], aad, and iv. This memory block should be
freed after it is used, before this function is returned. However, if the
return value of the function invocation of tls_do_decryption() is
-EINPROGRESS, this memory block is actually not freed, which is a memory
leak bug.

To fix this issue, free the allocated block before the error code
-EINPROGRESS is returned.

Signed-off-by: Wenwen Wang <wang6495@....edu>
---
 net/tls/tls_sw.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index b50ced8..22445bb 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -1445,8 +1445,10 @@ static int decrypt_internal(struct sock *sk, struct sk_buff *skb,
 	/* Prepare and submit AEAD request */
 	err = tls_do_decryption(sk, skb, sgin, sgout, iv,
 				data_len, aead_req, async);
-	if (err == -EINPROGRESS)
+	if (err == -EINPROGRESS) {
+		kfree(mem);
 		return err;
+	}
 
 	/* Release the pages in case iov was mapped to pages */
 	for (; pages > 0; pages--)
-- 
2.7.4

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ