[Drbd-dev] [PATCH 1/2] block: drbd: Fix a possible null-pointer dereference in receive_protocol()

Jia-Ju Bai baijiaju1990 at gmail.com
Wed Jul 24 05:49:16 CEST 2019


In receive_protocol(), when crypto_alloc_shash() on line 3754 fails,
peer_integrity_tfm is NULL, and error handling code is executed.
In this code, crypto_free_shash() is called with NULL, which can cause a
null-pointer dereference, because:
crypto_free_shash(NULL)
    crypto_ahash_tfm(NULL)
        "return &NULL->base"

To fix this bug, peer_integrity_tfm is checked before calling
crypto_free_shash().

This bug is found by a static analysis tool STCheck written by us.

Signed-off-by: Jia-Ju Bai <baijiaju1990 at gmail.com>
---
 drivers/block/drbd/drbd_receiver.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c
index 90ebfcae0ce6..a4df2b8291f6 100644
--- a/drivers/block/drbd/drbd_receiver.c
+++ b/drivers/block/drbd/drbd_receiver.c
@@ -3807,7 +3807,8 @@ static int receive_protocol(struct drbd_connection *connection, struct packet_in
 disconnect_rcu_unlock:
 	rcu_read_unlock();
 disconnect:
-	crypto_free_shash(peer_integrity_tfm);
+	if (peer_integrity_tfm)
+		crypto_free_shash(peer_integrity_tfm);
 	kfree(int_dig_in);
 	kfree(int_dig_vv);
 	conn_request_state(connection, NS(conn, C_DISCONNECTING), CS_HARD);
-- 
2.17.0



More information about the drbd-dev mailing list