[PATCH] sctp: auth: fix inconsistent key release in sctp_auth_set_key error path

Next message: Heming Zhao: "Re: [PATCH] ocfs2: fix orphan inode disk leak in ocfs2_dio_end_io() on I/O error"
Previous message: Ian Rogers: "[PATCH v1] perf pmu: Recognize default_core as a core PMU in more places"
Next in thread: Xin Long: "Re: [PATCH] sctp: auth: fix inconsistent key release in sctp_auth_set_key error path"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: WenTao Liang

Date: Thu Jun 11 2026 - 21:26:13 EST

When sctp_auth_create_key() fails in sctp_auth_set_key(), the newly
allocated shared key was freed via kfree() instead of the proper
refcount-aware helper sctp_auth_shkey_release(). While both are
functionally equivalent in this specific error path (cur_key->key is
NULL, refcnt is 1, and the key is not yet shared), using kfree()
bypasses the refcount abstraction and creates a latent bug if the
code is later reordered (e.g. cur_key->key set before the allocation
check). All other error and success paths in this function correctly
use sctp_auth_shkey_release().

Cc: stable@xxxxxxxxxxxxxxx
Fixes: 1b1e0bc99474 ("sctp: add refcnt support for sh_key")
Signed-off-by: WenTao Liang <vulab@xxxxxxxxxxx>
---
net/sctp/auth.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/sctp/auth.c b/net/sctp/auth.c
index be9782760f50..84708f87392f 100644
--- a/net/sctp/auth.c
+++ b/net/sctp/auth.c
@@ -753,7 +753,7 @@ int sctp_auth_set_key(struct sctp_endpoint *ep,
/* Create a new key data based on the info passed in */
key = sctp_auth_create_key(auth_key->sca_keylength, GFP_KERNEL);
if (!key) {
- kfree(cur_key);
+ sctp_auth_shkey_release(cur_key);
return -ENOMEM;
}

--
2.50.1 (Apple Git-155)