xfrm: Reset secpath in xfrm failure
authorMyungho Jung <mhjungk@gmail.com>
Thu, 7 Mar 2019 01:23:08 +0000 (10:23 +0900)
committerSteffen Klassert <steffen.klassert@secunet.com>
Fri, 8 Mar 2019 06:32:16 +0000 (07:32 +0100)
commit6ed69184ed9c43873b8a1ee721e3bf3c08c2c6be
treea98a3ee9e14b9896bef16ea1b842d4d6c3f7ce8d
parentb805d78d300bcf2c83d6df7da0c818b0fee41427
xfrm: Reset secpath in xfrm failure

In esp4_gro_receive() and esp6_gro_receive(), secpath can be allocated
without adding xfrm state to xvec. Then, sp->xvec[sp->len - 1] would
fail and result in dereferencing invalid pointer in esp4_gso_segment()
and esp6_gso_segment(). Reset secpath if xfrm function returns error.

Fixes: 7785bba299a8 ("esp: Add a software GRO codepath")
Reported-by: syzbot+b69368fd933c6c592f4c@syzkaller.appspotmail.com
Signed-off-by: Myungho Jung <mhjungk@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
net/ipv4/esp4_offload.c
net/ipv6/esp6_offload.c