From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C0BB1C282D8 for ; Wed, 30 Jan 2019 23:07:56 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 75C8720881 for ; Wed, 30 Jan 2019 23:07:56 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="bwlJgr+m" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727586AbfA3XHz (ORCPT ); Wed, 30 Jan 2019 18:07:55 -0500 Received: from mail-pl1-f195.google.com ([209.85.214.195]:37876 "EHLO mail-pl1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727068AbfA3XHy (ORCPT ); Wed, 30 Jan 2019 18:07:54 -0500 Received: by mail-pl1-f195.google.com with SMTP id b5so534578plr.4 for ; Wed, 30 Jan 2019 15:07:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=D3WdtbI6rW88LP6q7AYchAt+MskGKcIm5r7bxsixwkg=; b=bwlJgr+m9g/Oa+mMBQ5QMY/tz6Z5NU4t/91w/DzW4Eavjw+vx9cJgW7ri0IWTsN8Vv pbfdOzwzJBkXmNIqzggDEF2NZVsVMBUs3ninZL6pNhnLipD2f89B3dzHX9FFs9ZiGrg7 AUFEROtZrv5uWueE2XffZz+aNhCk9T8rYUDky2sBEaIWUwfJF108+vxWAZV8RjKh8MzM M4lmfzzuuEK0HNbZe6shTcKF111rAt1LlVSK6SBOBrSfj2ddCRWP3r0Rt+WZy0HWfYa0 2fIeKv30hYuDfOj3ZByC1OPTydfaV4LOQsXrCUX11zsB14mzk9M7MIR9/fshFoueUc7e tcdw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=D3WdtbI6rW88LP6q7AYchAt+MskGKcIm5r7bxsixwkg=; b=KoV15gqKODhgylcnG4enEvb+UINTAKIhmPcXYvCeCu6DOLali0srOqkkLC6frTPzfL /GPeT0bTXftzM8hgNbLWqC4b5nojAy4q31voB99SoAQKl5mG0/JgmTeCd3KiBtB2scaT 1gW/NkXeAU9NlSZV6SEyUB7QH7JYkiiz/SHLHv3/0SXBL5SClBPwGPrmfB/RkUEs+i99 XfvoNdyy+lj1Q1e8X0aiIP4s+Qnoa1YdJ4gZwlK9Vs4w1q3g6h2MCu59wEj11PMkz0mP GaQLlk3nwstbgdzpy33qbXCIu6qcYEv9WmP9tSSW7mJ+GJ4xSygb9/xBuaeuDGRly/aZ ItdQ== X-Gm-Message-State: AJcUukcW2jtWJec3Q2tUh//kN4veFec2347WKCI6ulybPC/PMVAaR/1K X61E35R38uaNfNhrXYlpz+dcn0QR X-Google-Smtp-Source: ALg8bN49kOfULceqqU+xFuoW3TJKiY5B9gx5Otzsr0/vAwip5gh5Ns67NAG8XXJmdBFCkSW9H+IzPA== X-Received: by 2002:a17:902:930b:: with SMTP id bc11mr33081052plb.17.1548889673897; Wed, 30 Jan 2019 15:07:53 -0800 (PST) Received: from ?IPv6:2620:15c:2c1:200:55c7:81e6:c7d8:94b? ([2620:15c:2c1:200:55c7:81e6:c7d8:94b]) by smtp.gmail.com with ESMTPSA id z186sm4103494pfz.119.2019.01.30.15.07.52 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 30 Jan 2019 15:07:52 -0800 (PST) Subject: Re: [PATCH] net: esp4: Fix double free on esp4 functions To: Ramin Farajpour Cami , davem@davemloft.net Cc: herbert@gondor.apana.org.au, steffen.klassert@secunet.com, netdev@vger.kernel.org References: <20190130213542.17313-1-ramin.blackhat@gmail.com> From: Eric Dumazet Message-ID: <38d987a0-7cc4-1565-00d4-22fdd04d7894@gmail.com> Date: Wed, 30 Jan 2019 15:07:52 -0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <20190130213542.17313-1-ramin.blackhat@gmail.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org On 01/30/2019 01:35 PM, Ramin Farajpour Cami wrote: > key/tmp is being kfree'd twice,once in the "aalg_desc->uinfo.auth.icv_fullbits / 8 != crypto_aead_authsize(aead)" call > to "free_key",twice When "crypto_aead_setauthsize(aead, x->aalg->alg_trunc_len / 8)" fails call to again "free_key", > > Signed-off-by: Ramin Farajpour Cami > --- > net/ipv4/esp4.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c > index 5459f41fc26f..5a66e47641b0 100644 > --- a/net/ipv4/esp4.c > +++ b/net/ipv4/esp4.c > @@ -467,6 +467,7 @@ int esp_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info * > > error_free: > kfree(tmp); > + tmp = NULL; Clearing tmp right before a "return err;" has no effect at all. > error: > return err; > } > @@ -959,7 +960,7 @@ static int esp_init_authenc(struct xfrm_state *x) > > free_key: > kfree(key); > - > + key = NULL; Same here, this is essentially dead code. > error: > return err; > } >