diff options
| author | Zilin Guan <zilin@seu.edu.cn> | 2025-11-10 06:41:25 +0000 |
|---|---|---|
| committer | Steffen Klassert <steffen.klassert@secunet.com> | 2025-11-14 10:12:36 +0100 |
| commit | a55ef3bff84f11ee8c84a1ae29b071ffd4ccbbd9 (patch) | |
| tree | 39577cdcba685dbefd8db17e405b185e55e497db /net/xfrm | |
| parent | 59630e2ccd728703cc826e3a3515d70f8c7a766c (diff) | |
xfrm: fix memory leak in xfrm_add_acquire()
The xfrm_add_acquire() function constructs an xfrm policy by calling
xfrm_policy_construct(). This allocates the policy structure and
potentially associates a security context and a device policy with it.
However, at the end of the function, the policy object is freed using
only kfree() . This skips the necessary cleanup for the security context
and device policy, leading to a memory leak.
To fix this, invoke the proper cleanup functions xfrm_dev_policy_delete(),
xfrm_dev_policy_free(), and security_xfrm_policy_free() before freeing the
policy object. This approach mirrors the error handling path in
xfrm_add_policy(), ensuring that all associated resources are correctly
released.
Fixes: 980ebd25794f ("[IPSEC]: Sync series - acquire insert")
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Diffstat (limited to 'net/xfrm')
| -rw-r--r-- | net/xfrm/xfrm_user.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index 9d98cc9daa37..403b5ecac2c5 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -3038,6 +3038,9 @@ static int xfrm_add_acquire(struct sk_buff *skb, struct nlmsghdr *nlh, } xfrm_state_free(x); + xfrm_dev_policy_delete(xp); + xfrm_dev_policy_free(xp); + security_xfrm_policy_free(xp->security); kfree(xp); return 0; |