From 2d31a7ac1484a964575e9c216822071fecbfe05e Mon Sep 17 00:00:00 2001 From: Alexandru Pirvulescu Date: Mon, 21 Oct 2024 08:55:36 -0400 Subject: [PATCH] MT#55283 Ensure copy pointer don't leak memory closes #1870 Change-Id: I18a48d2e80872ccc8a0b52a13dbc23b82d1981cb (cherry picked from commit d728233e292c5985bcf6ef000b223f22e30eb408) --- kernel-module/xt_RTPENGINE.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/kernel-module/xt_RTPENGINE.c b/kernel-module/xt_RTPENGINE.c index 162f14d4f..6898613ef 100644 --- a/kernel-module/xt_RTPENGINE.c +++ b/kernel-module/xt_RTPENGINE.c @@ -5743,17 +5743,25 @@ static int srtp_decrypt_aes_gcm(struct re_crypto_context *c, iv.seq ^= htons(pkt_idx & 0x00ffffULL); req = aead_request_alloc(c->aead, GFP_ATOMIC); - if (!req) + if (!req) { + if (copy) + kfree(copy); return -ENOMEM; - if (IS_ERR(req)) + } + if (IS_ERR(req)) { + if (copy) + kfree(copy); return PTR_ERR(req); + } sg_init_table(sg, ARRAY_SIZE(sg)); sg_set_buf(&sg[0], r->rtp_header, r->header_len); sg_set_buf(&sg[1], r->payload, r->payload_len); // make copy of payload in case the decyption clobbers it - copy = kmalloc(r->payload_len, GFP_ATOMIC); + if (!copy) + copy = kmalloc(r->payload_len, GFP_ATOMIC); + if (copy) memcpy(copy, r->payload, r->payload_len);