From d8a1ff30c4864bd57c2d895ef88df8a2d138a17d Mon Sep 17 00:00:00 2001 From: Thomas Haller Date: Mon, 4 Dec 2023 11:36:16 +0100 Subject: xfrm: fix leaking usertemplate in xfrmnl_sp_parse() Fixes: 49c20efaa783 ('xfrm: fix crashes in case of ENOMEM') --- include/nl-aux-xfrm/nl-xfrm.h | 7 +++++++ lib/xfrm/sp.c | 4 ++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/include/nl-aux-xfrm/nl-xfrm.h b/include/nl-aux-xfrm/nl-xfrm.h index 0f7e7a71..9c5c46a6 100644 --- a/include/nl-aux-xfrm/nl-xfrm.h +++ b/include/nl-aux-xfrm/nl-xfrm.h @@ -23,4 +23,11 @@ void xfrmnl_ae_put(struct xfrmnl_ae *ae); _NL_AUTO_DEFINE_FCN_TYPED0(struct xfrmnl_ae *, _nl_auto_xfrmnl_ae_fcn, xfrmnl_ae_put); +struct xfrmnl_user_tmpl; +void xfrmnl_user_tmpl_free(struct xfrmnl_user_tmpl *utmpl); +#define _nl_auto_xfrmnl_user_tmpl _nl_auto(_nl_auto_xfrmnl_user_tmpl_fcn) +_NL_AUTO_DEFINE_FCN_TYPED0(struct xfrmnl_user_tmpl *, + _nl_auto_xfrmnl_user_tmpl_fcn, + xfrmnl_user_tmpl_free); + #endif /* __NETLINK_NL_AUX_XFRM_NL_XFRM_H__ */ diff --git a/lib/xfrm/sp.c b/lib/xfrm/sp.c index e98339c0..a996455a 100644 --- a/lib/xfrm/sp.c +++ b/lib/xfrm/sp.c @@ -651,12 +651,12 @@ int xfrmnl_sp_parse(struct nlmsghdr *n, struct xfrmnl_sp **result) if (tb[XFRMA_TMPL]) { struct xfrm_user_tmpl* tmpl = nla_data(tb[XFRMA_TMPL]); - struct xfrmnl_user_tmpl* sputmpl; uint32_t i; uint32_t num_tmpls = nla_len(tb[XFRMA_TMPL]) / sizeof (*tmpl); for (i = 0; (i < num_tmpls) && (tmpl); i ++, tmpl++) { + _nl_auto_xfrmnl_user_tmpl struct xfrmnl_user_tmpl *sputmpl = NULL; _nl_auto_nl_addr struct nl_addr *addr1 = NULL; _nl_auto_nl_addr struct nl_addr *addr2 = NULL; @@ -681,7 +681,7 @@ int xfrmnl_sp_parse(struct nlmsghdr *n, struct xfrmnl_sp **result) xfrmnl_user_tmpl_set_aalgos (sputmpl, tmpl->aalgos); xfrmnl_user_tmpl_set_ealgos (sputmpl, tmpl->ealgos); xfrmnl_user_tmpl_set_calgos (sputmpl, tmpl->calgos); - xfrmnl_sp_add_usertemplate (sp, sputmpl); + xfrmnl_sp_add_usertemplate (sp, _nl_steal_pointer(&sputmpl)); sp->ce_mask |= XFRM_SP_ATTR_TMPL; } -- cgit v1.2.3