xfrm: fix leaking usertemplate in xfrmnl_sp_parse()

Fixes: 49c20efaa783 ('xfrm: fix crashes in case of ENOMEM')

2 files changed, 9 insertions, 2 deletions

diff --git a/include/nl-aux-xfrm/nl-xfrm.h b/include/nl-aux-xfrm/nl-xfrm.h
index 0f7e7a71..9c5c46a6 100644
--- a/include/nl-aux-xfrm/nl-xfrm.h
+++ b/include/nl-aux-xfrm/nl-xfrm.h
@@ -23,4 +23,11 @@ void xfrmnl_ae_put(struct xfrmnl_ae *ae);
 _NL_AUTO_DEFINE_FCN_TYPED0(struct xfrmnl_ae *, _nl_auto_xfrmnl_ae_fcn,
 			   xfrmnl_ae_put);
 
+struct xfrmnl_user_tmpl;
+void xfrmnl_user_tmpl_free(struct xfrmnl_user_tmpl *utmpl);
+#define _nl_auto_xfrmnl_user_tmpl _nl_auto(_nl_auto_xfrmnl_user_tmpl_fcn)
+_NL_AUTO_DEFINE_FCN_TYPED0(struct xfrmnl_user_tmpl *,
+			   _nl_auto_xfrmnl_user_tmpl_fcn,
+			   xfrmnl_user_tmpl_free);
+
 #endif /* __NETLINK_NL_AUX_XFRM_NL_XFRM_H__ */
diff --git a/lib/xfrm/sp.c b/lib/xfrm/sp.c
index e98339c0..a996455a 100644
--- a/lib/xfrm/sp.c
+++ b/lib/xfrm/sp.c
@@ -651,12 +651,12 @@ int xfrmnl_sp_parse(struct nlmsghdr *n, struct xfrmnl_sp **result)
 
 	if (tb[XFRMA_TMPL]) {
 		struct xfrm_user_tmpl*      tmpl = nla_data(tb[XFRMA_TMPL]);
-		struct xfrmnl_user_tmpl*    sputmpl;
 		uint32_t                    i;
 		uint32_t                    num_tmpls = nla_len(tb[XFRMA_TMPL]) / sizeof (*tmpl);
 
 		for (i = 0; (i < num_tmpls) && (tmpl); i ++, tmpl++)
 		{
+			_nl_auto_xfrmnl_user_tmpl struct xfrmnl_user_tmpl *sputmpl = NULL;
 			_nl_auto_nl_addr struct nl_addr *addr1 = NULL;
 			_nl_auto_nl_addr struct nl_addr *addr2 = NULL;
 
@@ -681,7 +681,7 @@ int xfrmnl_sp_parse(struct nlmsghdr *n, struct xfrmnl_sp **result)
 			xfrmnl_user_tmpl_set_aalgos (sputmpl, tmpl->aalgos);
 			xfrmnl_user_tmpl_set_ealgos (sputmpl, tmpl->ealgos);
 			xfrmnl_user_tmpl_set_calgos (sputmpl, tmpl->calgos);
-			xfrmnl_sp_add_usertemplate (sp, sputmpl);
+			xfrmnl_sp_add_usertemplate (sp, _nl_steal_pointer(&sputmpl));
 
 			sp->ce_mask     |=  XFRM_SP_ATTR_TMPL;
 		}