diff options
author | Xiyu Yang <xiyuyang19@fudan.edu.cn> | 2020-04-15 16:39:56 +0800 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2020-04-18 13:17:04 -0700 |
commit | 441870ee4240cf67b5d3ab8e16216a9ff42eb5d6 (patch) | |
tree | 51f978e622ce9337532be2ee78ea093f27c3b9f9 /net | |
parent | d03f228470a8c0a22b774d1f8d47071e0de4f6dd (diff) | |
download | linux-441870ee4240cf67b5d3ab8e16216a9ff42eb5d6.tar.gz linux-441870ee4240cf67b5d3ab8e16216a9ff42eb5d6.tar.bz2 linux-441870ee4240cf67b5d3ab8e16216a9ff42eb5d6.zip |
tipc: Fix potential tipc_aead refcnt leak in tipc_crypto_rcv
tipc_crypto_rcv() invokes tipc_aead_get(), which returns a reference of
the tipc_aead object to "aead" with increased refcnt.
When tipc_crypto_rcv() returns, the original local reference of "aead"
becomes invalid, so the refcount should be decreased to keep refcount
balanced.
The issue happens in one error path of tipc_crypto_rcv(). When TIPC
message decryption status is EINPROGRESS or EBUSY, the function forgets
to decrease the refcnt increased by tipc_aead_get() and causes a refcnt
leak.
Fix this issue by calling tipc_aead_put() on the error path when TIPC
message decryption status is EINPROGRESS or EBUSY.
Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r-- | net/tipc/crypto.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c index c8c47fc72653..8c47ded2edb6 100644 --- a/net/tipc/crypto.c +++ b/net/tipc/crypto.c @@ -1712,6 +1712,7 @@ exit: case -EBUSY: this_cpu_inc(stats->stat[STAT_ASYNC]); *skb = NULL; + tipc_aead_put(aead); return rc; default: this_cpu_inc(stats->stat[STAT_NOK]); |