2024-06-06 18:34:18

by Alexander Sapozhnikov

[permalink] [raw]
Subject: [PATCH] crypto: algif_aead: deref after NULL

From: Alexandr Sapozhnikov <[email protected]>

After having been compared to a NULL value at algif_aead.c:191,
pointer 'tsgl_src' is passed as 2nd parameter in call to function
'crypto_aead_copy_sgl' at algif_aead.c:244, where it is
dereferenced at algif_aead.c:85.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Signed-off-by: Alexandr Sapozhnikov <[email protected]>
---
crypto/algif_aead.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c
index 42493b4..f757907 100644
--- a/crypto/algif_aead.c
+++ b/crypto/algif_aead.c
@@ -191,7 +191,7 @@ static int _aead_recvmsg(struct socket *sock, struct msghdr *msg,
if (tsgl_src)
break;
}
- if (processed && !tsgl_src) {
+ if (processed || !tsgl_src) {
err = -EFAULT;
goto free;
}
--
2.5.3