[SRU][F][PATCH 1/3] tls: rx: coalesce exit paths in tls_decrypt_sg()
Juerg Haefliger
juerg.haefliger at canonical.com
Thu Sep 5 14:26:41 UTC 2024
From: Jakub Kicinski <kuba at kernel.org>
Jump to the free() call, instead of having to remember
to free the memory in multiple places.
Signed-off-by: Jakub Kicinski <kuba at kernel.org>
(backported from commit 03957d84055e59235c7d57c95a37617bd3aa5646)
[juergh: Adjusted context.]
CVE-2024-26800
Signed-off-by: Juerg Haefliger <juerg.haefliger at canonical.com>
---
net/tls/tls_sw.c | 14 +++++---------
1 file changed, 5 insertions(+), 9 deletions(-)
diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index 744b4bb0740c..9fade9e24911 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -1498,10 +1498,8 @@ static int decrypt_internal(struct sock *sk, struct sk_buff *skb,
err = skb_copy_bits(skb, rxm->offset + TLS_HEADER_SIZE,
iv + iv_offset + prot->salt_size,
prot->iv_size);
- if (err < 0) {
- kfree(mem);
- return err;
- }
+ if (err < 0)
+ goto exit_free;
if (prot->version == TLS_1_3_VERSION)
memcpy(iv + iv_offset, tls_ctx->rx.iv,
prot->iv_size + prot->salt_size);
@@ -1522,10 +1520,8 @@ static int decrypt_internal(struct sock *sk, struct sk_buff *skb,
err = skb_to_sgvec(skb, &sgin[1],
rxm->offset + prot->prepend_size,
rxm->full_len - prot->prepend_size);
- if (err < 0) {
- kfree(mem);
- return err;
- }
+ if (err < 0)
+ goto exit_free;
if (n_sgout) {
if (out_iov) {
@@ -1558,7 +1554,7 @@ static int decrypt_internal(struct sock *sk, struct sk_buff *skb,
/* Release the pages in case iov was mapped to pages */
for (; pages > 0; pages--)
put_page(sg_page(&sgout[pages]));
-
+exit_free:
kfree(mem);
return err;
}
--
2.43.0
More information about the kernel-team
mailing list