key/tmp is being kfree'd twice,once in the "aalg_desc->uinfo.auth.icv_fullbits
/ 8 != crypto_aead_authsize(aead)" call
to "free_key",twice When "crypto_aead_setauthsize(aead, x->aalg->alg_trunc_len
/ 8)" fails call to again "free_key",
Signed-off-by: Ramin Farajpour Cami <ramin.black...@gmail.com>
---
net/ipv4/esp4.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index 5459f41fc26f..5a66e47641b0 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -467,6 +467,7 @@ int esp_output_tail(struct xfrm_state *x, struct sk_buff
*skb, struct esp_info *
error_free:
kfree(tmp);
+ tmp = NULL;
error:
return err;
}
@@ -959,7 +960,7 @@ static int esp_init_authenc(struct xfrm_state *x)
free_key:
kfree(key);
-
+ key = NULL;
error:
return err;
}
--
2.11.0
