From 4e115113c9e9fa391c177dfc113eceaf0a9cb8b4 Mon Sep 17 00:00:00 2001 From: Tobias Klauser Date: Mon, 11 May 2015 14:49:01 +0200 Subject: [PATCH] xfrm: fix potential NULL dereference If xfrmnl_sel_alloc() returns NULL, the daddr and saddr members are still accessed, leading to a potential NULL dereference. The same is the case for xfrmnl_user_tmpl_alloc(). Fix this by returning NULL right away if allocation fails. http://lists.infradead.org/pipermail/libnl/2015-May/001874.html Signed-off-by: Tobias Klauser Signed-off-by: Thomas Haller --- lib/xfrm/selector.c | 5 +++-- lib/xfrm/template.c | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/lib/xfrm/selector.c b/lib/xfrm/selector.c index 17e5101..d52d8df 100644 --- a/lib/xfrm/selector.c +++ b/lib/xfrm/selector.c @@ -97,9 +97,10 @@ struct xfrmnl_sel* xfrmnl_sel_clone(struct xfrmnl_sel* sel) struct xfrmnl_sel* new; new = xfrmnl_sel_alloc(); - if (new) - memcpy ((void*)new, (void*)sel, sizeof (struct xfrmnl_sel)); + if (!new) + return NULL; + memcpy(new, sel, sizeof(struct xfrmnl_sel)); new->daddr = nl_addr_clone(sel->daddr); new->saddr = nl_addr_clone(sel->saddr); diff --git a/lib/xfrm/template.c b/lib/xfrm/template.c index 5d6d8c9..fdfa4c2 100644 --- a/lib/xfrm/template.c +++ b/lib/xfrm/template.c @@ -91,9 +91,10 @@ struct xfrmnl_user_tmpl* xfrmnl_user_tmpl_clone(struct xfrmnl_user_tmpl* utmpl) struct xfrmnl_user_tmpl* new; new = xfrmnl_user_tmpl_alloc(); - if (new) - memcpy ((void*)new, (void*)utmpl, sizeof (struct xfrmnl_user_tmpl)); + if (!new) + return NULL; + memcpy(new, utmpl, sizeof(struct xfrmnl_user_tmpl)); new->id.daddr = nl_addr_clone (utmpl->id.daddr); new->saddr = nl_addr_clone (utmpl->saddr);