From 75b8c133267053c9986a7c8db5131f0e7349e806 Mon Sep 17 00:00:00 2001 From: Herbert Xu Date: Tue, 11 Dec 2007 04:38:08 -0800 Subject: [IPSEC]: Fix potential dst leak in xfrm_lookup If we get an error during the actual policy lookup we don't free the original dst while the caller expects us to always free the original dst in case of error. This patch fixes that. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller --- net/xfrm/xfrm_policy.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'net/xfrm') diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 9a4cf2e45a1..b91b16671c1 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -1318,8 +1318,9 @@ restart: if (sk && sk->sk_policy[XFRM_POLICY_OUT]) { policy = xfrm_sk_policy_lookup(sk, XFRM_POLICY_OUT, fl); + err = PTR_ERR(policy); if (IS_ERR(policy)) - return PTR_ERR(policy); + goto dropdst; } if (!policy) { @@ -1330,8 +1331,9 @@ restart: policy = flow_cache_lookup(fl, dst_orig->ops->family, dir, xfrm_policy_lookup); + err = PTR_ERR(policy); if (IS_ERR(policy)) - return PTR_ERR(policy); + goto dropdst; } if (!policy) @@ -1501,8 +1503,9 @@ restart: return 0; error: - dst_release(dst_orig); xfrm_pols_put(pols, npols); +dropdst: + dst_release(dst_orig); *dst_p = NULL; return err; } -- cgit v1.2.3