From: Ramin Farajpour Cami <ramin.black...@gmail.com> Date: Wed, 30 Jan 2019 21:35:42 +0000
> key/tmp is being kfree'd twice,once in the > "aalg_desc->uinfo.auth.icv_fullbits / 8 != crypto_aead_authsize(aead)" call > to "free_key",twice When "crypto_aead_setauthsize(aead, > x->aalg->alg_trunc_len / 8)" fails call to again "free_key", > > Signed-off-by: Ramin Farajpour Cami <ramin.black...@gmail.com> > --- > net/ipv4/esp4.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c > index 5459f41fc26f..5a66e47641b0 100644 > --- a/net/ipv4/esp4.c > +++ b/net/ipv4/esp4.c > @@ -467,6 +467,7 @@ int esp_output_tail(struct xfrm_state *x, struct sk_buff > *skb, struct esp_info * > > error_free: > kfree(tmp); > + tmp = NULL; > error: > return err; > } This makes no sense at all, the function returns right after the kfree() and tmp is never referenced again!
