Fix bug https://bugzilla.kernel.org/show_bug.cgi?id=188521. In function
skcipher_recvmsg_async(), variable err takes the return value, and its
value should be negative on failures. Because variable err may be
reassigned and checked before calling kcalloc(), its value may be 0
(indicates no error) even if kcalloc() fails. This patch fixes the bug
by explicitly assigning -ENOMEM to err when kcalloc() returns a NULL
pointer.
Signed-off-by: Pan Bian <[email protected]>
---
crypto/algif_skcipher.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c
index 28556fc..bfb0a1a 100644
--- a/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -566,8 +566,10 @@ static int skcipher_recvmsg_async(struct socket *sock, struct msghdr *msg,
* need to expand */
tmp = kcalloc(tx_nents * 2, sizeof(*tmp),
GFP_KERNEL);
- if (!tmp)
+ if (!tmp) {
+ err = -ENOMEM;
goto free;
+ }
sg_init_table(tmp, tx_nents * 2);
for (x = 0; x < tx_nents; x++)
--
1.9.1
On Thu, Dec 01, 2016 at 10:04:43AM +0800, Pan Bian wrote:
> Fix bug https://bugzilla.kernel.org/show_bug.cgi?id=188521. In function
> skcipher_recvmsg_async(), variable err takes the return value, and its
> value should be negative on failures. Because variable err may be
> reassigned and checked before calling kcalloc(), its value may be 0
> (indicates no error) even if kcalloc() fails. This patch fixes the bug
> by explicitly assigning -ENOMEM to err when kcalloc() returns a NULL
> pointer.
>
> Signed-off-by: Pan Bian <[email protected]>
Patch applied. Thanks.
--
Email: Herbert Xu <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt