summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorStephan Mueller <smueller@chronox.de>2018-04-12 08:40:55 +0200
committerHerbert Xu <herbert@gondor.apana.org.au>2018-04-21 00:57:00 +0800
commiteea0d3ea7546961f69f55b26714ac8fd71c7c020 (patch)
tree1a8cda1a7a5932789790ff6286791d999307d7c9
parentb346e492d7127e4332d5a9989b844b2095cc4fcd (diff)
downloadlinux-eea0d3ea7546961f69f55b26714ac8fd71c7c020.tar.bz2
crypto: drbg - set freed buffers to NULL
During freeing of the internal buffers used by the DRBG, set the pointer to NULL. It is possible that the context with the freed buffers is reused. In case of an error during initialization where the pointers do not yet point to allocated memory, the NULL value prevents a double free. Cc: stable@vger.kernel.org Fixes: 3cfc3b9721123 ("crypto: drbg - use aligned buffers") Signed-off-by: Stephan Mueller <smueller@chronox.de> Reported-by: syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-rw-r--r--crypto/drbg.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/crypto/drbg.c b/crypto/drbg.c
index 4faa2781c964..466a112a4446 100644
--- a/crypto/drbg.c
+++ b/crypto/drbg.c
@@ -1134,8 +1134,10 @@ static inline void drbg_dealloc_state(struct drbg_state *drbg)
if (!drbg)
return;
kzfree(drbg->Vbuf);
+ drbg->Vbuf = NULL;
drbg->V = NULL;
kzfree(drbg->Cbuf);
+ drbg->Cbuf = NULL;
drbg->C = NULL;
kzfree(drbg->scratchpadbuf);
drbg->scratchpadbuf = NULL;