diff options
| author | Dan Carpenter <dan.carpenter@linaro.org> | 2025-04-23 11:25:45 +0300 |
|---|---|---|
| committer | Jakub Kicinski <kuba@kernel.org> | 2025-04-24 18:06:05 -0700 |
| commit | 3a4236c379543878e957004d3415152d28955481 (patch) | |
| tree | d7952eef3ae297bba197952d49f45c9d29815424 /net | |
| parent | ffb0c5c4cf666380b8786e87c954967cbad22ad8 (diff) | |
| download | ath-3a4236c379543878e957004d3415152d28955481.tar.gz | |
rxrpc: rxgk: Fix some reference count leaks
These paths should call rxgk_put(gk) but they don't. In the
rxgk_construct_response() function the "goto error;" will free the
"response" skb as well calling rxgk_put() so that's a bonus.
Fixes: 9d1d2b59341f ("rxrpc: rxgk: Implement the yfs-rxgk security class (GSSAPI)")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Acked-by: David Howells <dhowells@redhat.com>
Link: https://patch.msgid.link/aAikCbsnnzYtVmIA@stanley.mountain
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'net')
| -rw-r--r-- | net/rxrpc/rxgk.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/net/rxrpc/rxgk.c b/net/rxrpc/rxgk.c index ba8bc201b8d38..1e19c605bcc82 100644 --- a/net/rxrpc/rxgk.c +++ b/net/rxrpc/rxgk.c @@ -440,8 +440,10 @@ static int rxgk_secure_packet(struct rxrpc_call *call, struct rxrpc_txbuf *txb) return PTR_ERR(gk) == -ESTALE ? -EKEYREJECTED : PTR_ERR(gk); ret = key_validate(call->conn->key); - if (ret < 0) + if (ret < 0) { + rxgk_put(gk); return ret; + } call->security_enctype = gk->krb5->etype; txb->cksum = htons(gk->key_number); @@ -483,7 +485,7 @@ static int rxgk_verify_packet_integrity(struct rxrpc_call *call, hdr = kzalloc(sizeof(*hdr), GFP_NOFS); if (!hdr) - return -ENOMEM; + goto put_gk; hdr->epoch = htonl(call->conn->proto.epoch); hdr->cid = htonl(call->cid); @@ -505,6 +507,7 @@ static int rxgk_verify_packet_integrity(struct rxrpc_call *call, sp->len = len; } +put_gk: rxgk_put(gk); _leave(" = %d", ret); return ret; @@ -594,6 +597,7 @@ static int rxgk_verify_packet(struct rxrpc_call *call, struct sk_buff *skb) call->security_enctype = gk->krb5->etype; switch (call->conn->security_level) { case RXRPC_SECURITY_PLAIN: + rxgk_put(gk); return 0; case RXRPC_SECURITY_AUTH: return rxgk_verify_packet_integrity(call, gk, skb); @@ -969,7 +973,7 @@ static int rxgk_construct_response(struct rxrpc_connection *conn, ret = rxgk_pad_out(response, authx_len, authx_offset + authx_len); if (ret < 0) - return ret; + goto error; len = authx_offset + authx_len + ret; if (len != response->len) { |
