On 01/30/2019 01:35 PM, Ramin Farajpour Cami wrote:
> key/tmp is being kfree'd twice,once in the
> "aalg_desc->uinfo.auth.icv_fullbits / 8 != crypto_aead_authsize(aead)" call
> to "free_key",twice When "crypto_aead_setauthsize(aead,
> x->aalg->alg_trunc_len / 8)" fails call to again "free_key",
>
> Signed-off-by: Ramin Farajpour Cami <[email protected]>
> ---
> net/ipv4/esp4.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
> index 5459f41fc26f..5a66e47641b0 100644
> --- a/net/ipv4/esp4.c
> +++ b/net/ipv4/esp4.c
> @@ -467,6 +467,7 @@ int esp_output_tail(struct xfrm_state *x, struct sk_buff
> *skb, struct esp_info *
>
> error_free:
> kfree(tmp);
> + tmp = NULL;
Clearing tmp right before a "return err;" has no effect at all.
> error:
> return err;
> }
> @@ -959,7 +960,7 @@ static int esp_init_authenc(struct xfrm_state *x)
>
> free_key:
> kfree(key);
> -
> + key = NULL;
Same here, this is essentially dead code.
> error:
> return err;
> }
>
