xfrm: Fix xfrm_state_clone leak

xfrm_state_clone calls kfree instead of xfrm_state_put to free a failed state. Depending on the state of the failed state, it can cause leaks to things like module references. All states should be freed by xfrm_state_put past the point of xfrm_init_state. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Herbert Xu <herbert@gondor.apana.org.au> 2010-02-15 20:00:51 +0000
committer: David S. Miller <davem@davemloft.net> 2010-02-16 14:53:24 -0800
commit: 553f9118abc4fc53674fff87f6fe5fa3f56a41ed (patch)
tree: 8b6fcbbfc3709915cc733aa48a49f95d9f930e89 /net/xfrm
parent: 10e7454ed7a2da39f1f6255f63d7df27ab4bb67f (diff)
download: linux-553f9118abc4fc53674fff87f6fe5fa3f56a41ed.tar.gz
1 files changed, 3 insertions, 9 deletions
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index b36cc344474b..f445ea1c5f52 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -1102,7 +1102,7 @@ static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig, int *errp)
 	int err = -ENOMEM;
 	struct xfrm_state *x = xfrm_state_alloc(net);
 	if (!x)
-		goto error;
+		goto out;
 
 	memcpy(&x->id, &orig->id, sizeof(x->id));
 	memcpy(&x->sel, &orig->sel, sizeof(x->sel));
@@ -1160,16 +1160,10 @@ static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig, int *errp)
 	return x;
 
  error:
+	xfrm_state_put(x);
+out:
 	if (errp)
 		*errp = err;
-	if (x) {
-		kfree(x->aalg);
-		kfree(x->ealg);
-		kfree(x->calg);
-		kfree(x->encap);
-		kfree(x->coaddr);
-	}
-	kfree(x);
 	return NULL;
 }
author	Herbert Xu <herbert@gondor.apana.org.au>	2010-02-15 20:00:51 +0000
committer	David S. Miller <davem@davemloft.net>	2010-02-16 14:53:24 -0800
commit	553f9118abc4fc53674fff87f6fe5fa3f56a41ed (patch)
tree	8b6fcbbfc3709915cc733aa48a49f95d9f930e89 /net/xfrm
parent	10e7454ed7a2da39f1f6255f63d7df27ab4bb67f (diff)
download	linux-553f9118abc4fc53674fff87f6fe5fa3f56a41ed.tar.gz