[SRU][J][PATCH 1/3] tls: rx: coalesce exit paths in tls_decrypt_sg()
Juerg Haefliger
juerg.haefliger at canonical.com
Thu Sep 5 14:26:42 UTC 2024
From: Jakub Kicinski <kuba at kernel.org>
Jump to the free() call, instead of having to remember
to free the memory in multiple places.
Signed-off-by: Jakub Kicinski <kuba at kernel.org>
(backported from commit 03957d84055e59235c7d57c95a37617bd3aa5646)
[juergh: Adjusted context.]
CVE-2024-26800
Signed-off-by: Juerg Haefliger <juerg.haefliger at canonical.com>
---
net/tls/tls_sw.c | 14 +++++---------
1 file changed, 5 insertions(+), 9 deletions(-)
diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index 065454136be7..02d2e883d476 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -1501,10 +1501,8 @@ static int decrypt_internal(struct sock *sk, struct sk_buff *skb,
err = skb_copy_bits(skb, rxm->offset + TLS_HEADER_SIZE,
iv + iv_offset + prot->salt_size,
prot->iv_size);
- if (err < 0) {
- kfree(mem);
- return err;
- }
+ if (err < 0)
+ goto exit_free;
if (prot->version == TLS_1_3_VERSION ||
prot->cipher_type == TLS_CIPHER_CHACHA20_POLY1305)
memcpy(iv + iv_offset, tls_ctx->rx.iv,
@@ -1525,10 +1523,8 @@ static int decrypt_internal(struct sock *sk, struct sk_buff *skb,
err = skb_to_sgvec(skb, &sgin[1],
rxm->offset + prot->prepend_size,
rxm->full_len - prot->prepend_size);
- if (err < 0) {
- kfree(mem);
- return err;
- }
+ if (err < 0)
+ goto exit_free;
if (n_sgout) {
if (out_iov) {
@@ -1561,7 +1557,7 @@ static int decrypt_internal(struct sock *sk, struct sk_buff *skb,
/* Release the pages in case iov was mapped to pages */
for (; pages > 0; pages--)
put_page(sg_page(&sgout[pages]));
-
+exit_free:
kfree(mem);
return err;
}
--
2.43.0
More information about the kernel-team
mailing list