Re: [PATCH] drbd: dynamically allocate shash descriptor

From: Arnd Bergmann
Date: Mon Jun 17 2019 - 16:44:07 EST


On Mon, Jun 17, 2019 at 4:36 PM Roland Kammerer
<roland.kammerer@xxxxxxxxxx> wrote:
> > @@ -5572,6 +5579,7 @@ static int drbd_do_auth(struct drbd_connection *connection)
> > kfree(response);
> > kfree(right_response);
> > shash_desc_zero(desc);
> > + kfree(desc);
> >
> > return rv;
> > }
>
> Hi Arnd,
>
> are you sure your cleanup is okay?
>
> > shash_desc_zero(desc);
> > + kfree(desc);
>
> You shash_desc_zero() a potential NULL pointer. memzero_expicit() in the
> function then dereferences it:
>
> memzero_explicit(desc,
> sizeof(*desc) + crypto_shash_descsize(desc->tfm));
>
> Maybe some if (desc) guard?

Good catch. I guess kzfree() would have been the right thing to call.

Arnd