From patchwork Fri Sep 14 19:58:32 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mathias Krause X-Patchwork-Id: 184021 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 7CF092C00AC for ; Sat, 15 Sep 2012 06:01:10 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932441Ab2INT77 (ORCPT ); Fri, 14 Sep 2012 15:59:59 -0400 Received: from mail-bk0-f46.google.com ([209.85.214.46]:60643 "EHLO mail-bk0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1759693Ab2INT75 (ORCPT ); Fri, 14 Sep 2012 15:59:57 -0400 Received: by bkwj10 with SMTP id j10so1432122bkw.19 for ; Fri, 14 Sep 2012 12:59:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=from:to:cc:subject:date:message-id:x-mailer; bh=wGW1H1XXn6jgQZV6K8xWpos8w+7GcGA3+0Ix6WQ7mgA=; b=izlCXglTSzWaCG00RY1uXm6VlhTYYQKROoSjtEEXH70ALMiyD5rtpe/CWuI+uMSPyJ D+IAFcARmDjnucKi8dLwVRhFKytwCIp9P7rMoFVWrqpJuNiApafqary6TDTlz3cyPC5l oSAxQbBhH6IHe+ki97qYUQMMoOvJeuOIyBSFf1u0mKQBYjK4EKfg/lupEY9y5QZF/Dsu ND1OQlxEvUnvMueJx9vnwQ05SbYBOu7pqPB3ZYMY4r8IMdue8RvI/sbcANR6jPQft9du h2nwbbXwdWwY34RF9bX8hVwvuT0vobMwRVJS8gFd9YlQ+rLoge3+ZOHZ0Fh5urdmXBLr m//Q== Received: by 10.204.128.202 with SMTP id l10mr1895826bks.127.1347652795189; Fri, 14 Sep 2012 12:59:55 -0700 (PDT) Received: from jig.fritz.box (pD9EB43A2.dip.t-dialin.net. [217.235.67.162]) by mx.google.com with ESMTPS id g6sm1903043bkg.2.2012.09.14.12.59.52 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 14 Sep 2012 12:59:54 -0700 (PDT) From: Mathias Krause To: "David S. Miller" Cc: Steffen Klassert , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Mathias Krause , stable@vger.kernel.org Subject: [PATCH] xfrm_user: return error pointer instead of NULL #2 Date: Fri, 14 Sep 2012 21:58:32 +0200 Message-Id: <1347652712-14584-1-git-send-email-minipli@googlemail.com> X-Mailer: git-send-email 1.7.10.4 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org When dump_one_policy() returns an error, e.g. because of a too small buffer to dump the whole xfrm policy, xfrm_policy_netlink() returns NULL instead of an error pointer. But its caller expects an error pointer and therefore continues to operate on a NULL skbuff. Cc: stable@vger.kernel.org Signed-off-by: Mathias Krause Acked-by: Steffen Klassert --- Note, this is a different, but similar issue as my previous patch with the almost same subject. I'm not aware of a way how to exploit this bug as the policy *should* always fit into the netlink buffer but better safe then sorry, so cc stable. net/xfrm/xfrm_user.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index dac08e2..d12b625 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -1548,6 +1548,7 @@ static struct sk_buff *xfrm_policy_netlink(struct sk_buff *in_skb, { struct xfrm_dump_info info; struct sk_buff *skb; + int err; skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); if (!skb) @@ -1558,9 +1559,10 @@ static struct sk_buff *xfrm_policy_netlink(struct sk_buff *in_skb, info.nlmsg_seq = seq; info.nlmsg_flags = 0; - if (dump_one_policy(xp, dir, 0, &info) < 0) { + err = dump_one_policy(xp, dir, 0, &info); + if (err) { kfree_skb(skb); - return NULL; + return ERR_PTR(err); } return skb;