xfrm: Fix xfrm_state_clone leak
Herbert Xu [Mon, 15 Feb 2010 20:00:51 +0000 (20:00 +0000)]
xfrm_state_clone calls kfree instead of xfrm_state_put to free
a failed state.  Depending on the state of the failed state, it
can cause leaks to things like module references.

All states should be freed by xfrm_state_put past the point of
xfrm_init_state.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>

net/xfrm/xfrm_state.c

index b36cc34..f445ea1 100644 (file)
@@ -1102,7 +1102,7 @@ static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig, int *errp)
        int err = -ENOMEM;
        struct xfrm_state *x = xfrm_state_alloc(net);
        if (!x)
-               goto error;
+               goto out;
 
        memcpy(&x->id, &orig->id, sizeof(x->id));
        memcpy(&x->sel, &orig->sel, sizeof(x->sel));
@@ -1160,16 +1160,10 @@ static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig, int *errp)
        return x;
 
  error:
+       xfrm_state_put(x);
+out:
        if (errp)
                *errp = err;
-       if (x) {
-               kfree(x->aalg);
-               kfree(x->ealg);
-               kfree(x->calg);
-               kfree(x->encap);
-               kfree(x->coaddr);
-       }
-       kfree(x);
        return NULL;
 }