| Message ID | 20190724034916.28703-1-baijiaju1990@gmail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [1/2] block: drbd: Fix a possible null-pointer dereference in receive_protocol() | expand |
On Wed, Jul 24, 2019 at 11:49:16AM +0800, Jia-Ju Bai wrote: > In receive_protocol(), when crypto_alloc_shash() on line 3754 fails, > peer_integrity_tfm is NULL, and error handling code is executed. > In this code, crypto_free_shash() is called with NULL, which can cause a > null-pointer dereference, because: > crypto_free_shash(NULL) > crypto_ahash_tfm(NULL) > "return &NULL->base" > > To fix this bug, peer_integrity_tfm is checked before calling > crypto_free_shash(). > > This bug is found by a static analysis tool STCheck written by us. > > Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com> Reviewed-by: Roland Kammerer <roland.kammerer@linbit.com>
diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c index 90ebfcae0ce6..a4df2b8291f6 100644 --- a/drivers/block/drbd/drbd_receiver.c +++ b/drivers/block/drbd/drbd_receiver.c @@ -3807,7 +3807,8 @@ static int receive_protocol(struct drbd_connection *connection, struct packet_in disconnect_rcu_unlock: rcu_read_unlock(); disconnect: - crypto_free_shash(peer_integrity_tfm); + if (peer_integrity_tfm) + crypto_free_shash(peer_integrity_tfm); kfree(int_dig_in); kfree(int_dig_vv); conn_request_state(connection, NS(conn, C_DISCONNECTING), CS_HARD);
In receive_protocol(), when crypto_alloc_shash() on line 3754 fails, peer_integrity_tfm is NULL, and error handling code is executed. In this code, crypto_free_shash() is called with NULL, which can cause a null-pointer dereference, because: crypto_free_shash(NULL) crypto_ahash_tfm(NULL) "return &NULL->base" To fix this bug, peer_integrity_tfm is checked before calling crypto_free_shash(). This bug is found by a static analysis tool STCheck written by us. Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com> --- drivers/block/drbd/drbd_receiver.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)