Message ID | 1586939996-69937-1-git-send-email-xiyuyang19@fudan.edu.cn |
---|---|
State | Accepted |
Delegated to: | David Miller |
Headers | show |
Series | tipc: Fix potential tipc_aead refcnt leak in tipc_crypto_rcv | expand |
From: Xiyu Yang <xiyuyang19@fudan.edu.cn> Date: Wed, 15 Apr 2020 16:39:56 +0800 > tipc_crypto_rcv() invokes tipc_aead_get(), which returns a reference of > the tipc_aead object to "aead" with increased refcnt. > > When tipc_crypto_rcv() returns, the original local reference of "aead" > becomes invalid, so the refcount should be decreased to keep refcount > balanced. > > The issue happens in one error path of tipc_crypto_rcv(). When TIPC > message decryption status is EINPROGRESS or EBUSY, the function forgets > to decrease the refcnt increased by tipc_aead_get() and causes a refcnt > leak. > > Fix this issue by calling tipc_aead_put() on the error path when TIPC > message decryption status is EINPROGRESS or EBUSY. > > Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn> > Signed-off-by: Xin Tan <tanxin.ctf@gmail.com> Applied and queued up for -stable. This code is harder to audit than it needs to be due to the special casing of things like -ENOKEY etc. It should rather explicitly handle the NULL test on aead in this top-level piece of code, which would make the validation of aead reference counting much more explicit and clear.
diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c index c8c47fc72653..8c47ded2edb6 100644 --- a/net/tipc/crypto.c +++ b/net/tipc/crypto.c @@ -1712,6 +1712,7 @@ int tipc_crypto_rcv(struct net *net, struct tipc_crypto *rx, case -EBUSY: this_cpu_inc(stats->stat[STAT_ASYNC]); *skb = NULL; + tipc_aead_put(aead); return rc; default: this_cpu_inc(stats->stat[STAT_NOK]);