netdev
[Top] [All Lists]

[7/10] [IPSEC] Fix xfrm_state leaks in error path

To: "David S. Miller" <davem@xxxxxxxxxxxxx>, jamal <hadi@xxxxxxxxxx>, Patrick McHardy <kaber@xxxxxxxxx>, netdev@xxxxxxxxxxx
Subject: [7/10] [IPSEC] Fix xfrm_state leaks in error path
From: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Date: Fri, 27 May 2005 21:14:58 +1000
In-reply-to: <20050527111140.GF4545@gondor.apana.org.au>
References: <20050527110730.GA4424@gondor.apana.org.au> <20050527110816.GA4545@gondor.apana.org.au> <20050527110852.GB4545@gondor.apana.org.au> <20050527110929.GC4545@gondor.apana.org.au> <20050527111007.GD4545@gondor.apana.org.au> <20050527111037.GE4545@gondor.apana.org.au> <20050527111140.GF4545@gondor.apana.org.au>
Sender: netdev-bounce@xxxxxxxxxxx
User-agent: Mutt/1.5.9i
Herbert Xu wrote:
> @@ -1254,6 +1326,7 @@ static int pfkey_add(struct sock *sk, st
>       if (IS_ERR(x))
>               return PTR_ERR(x);
>
> +     xfrm_state_hold(x);

This introduces a leak when xfrm_state_add()/xfrm_state_update()
fail. We hold two references (one from xfrm_state_alloc(), one
from xfrm_state_hold()), but only drop one. We need to take the
reference because the reference from xfrm_state_alloc() can
be dropped by __xfrm_state_delete(), so the fix is to drop both
references on error. Same problem in xfrm_user.c.

Signed-off-by: Patrick McHardy <kaber@xxxxxxxxx>
Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Attachment: p9.patch
Description: Text document

<Prev in Thread] Current Thread [Next in Thread>