xfrm: fix crashes in case of ENOMEM

thom311 · Nov 29, 2023 · 49c20ef · 49c20ef
1 parent 9e7b5c8
commit 49c20ef
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 14 deletions.
diff --git a/lib/xfrm/ae.c b/lib/xfrm/ae.c
@@ -541,11 +541,18 @@ int xfrmnl_ae_parse(struct nlmsghdr *n, struct xfrmnl_ae **result)
 	if (err < 0)
 		goto errout;
 
-	ae->sa_id.daddr = _nl_addr_build(ae_id->sa_id.family, &ae_id->sa_id.daddr);
+	if (!(ae->sa_id.daddr = _nl_addr_build(ae_id->sa_id.family,
+					       &ae_id->sa_id.daddr))) {
+		err = -NLE_NOMEM;
+		goto errout;
+	}
 	ae->sa_id.family= ae_id->sa_id.family;
 	ae->sa_id.spi   = ntohl(ae_id->sa_id.spi);
 	ae->sa_id.proto = ae_id->sa_id.proto;
-	ae->saddr       = _nl_addr_build(ae_id->sa_id.family, &ae_id->saddr);
+	if (!(ae->saddr = _nl_addr_build(ae_id->sa_id.family, &ae_id->saddr))) {
+		err = -NLE_NOMEM;
+		goto errout;
+	}
 	ae->reqid       = ae_id->reqid;
 	ae->flags       = ae_id->flags;
 	ae->ce_mask |= (XFRM_AE_ATTR_DADDR | XFRM_AE_ATTR_FAMILY | XFRM_AE_ATTR_SPI |

diff --git a/lib/xfrm/sa.c b/lib/xfrm/sa.c
@@ -806,12 +806,18 @@ int xfrmnl_sa_parse(struct nlmsghdr *n, struct xfrmnl_sa **result)
 	if (err < 0)
 		goto errout;
 
-	addr1 = _nl_addr_build(sa_info->sel.family, &sa_info->sel.daddr);
+	if (!(addr1 = _nl_addr_build(sa_info->sel.family, &sa_info->sel.daddr))) {
+		err = -NLE_NOMEM;
+		goto errout;
+	}
 	nl_addr_set_prefixlen (addr1, sa_info->sel.prefixlen_d);
 	xfrmnl_sel_set_daddr (sa->sel, addr1);
 	xfrmnl_sel_set_prefixlen_d (sa->sel, sa_info->sel.prefixlen_d);
 
-	addr2 = _nl_addr_build(sa_info->sel.family, &sa_info->sel.saddr);
+	if (!(addr2 = _nl_addr_build(sa_info->sel.family, &sa_info->sel.saddr))) {
+		err = -NLE_NOMEM;
+		goto errout;
+	}
 	nl_addr_set_prefixlen (addr2, sa_info->sel.prefixlen_s);
 	xfrmnl_sel_set_saddr (sa->sel, addr2);
 	xfrmnl_sel_set_prefixlen_s (sa->sel, sa_info->sel.prefixlen_s);
@@ -826,12 +832,18 @@ int xfrmnl_sa_parse(struct nlmsghdr *n, struct xfrmnl_sa **result)
 	xfrmnl_sel_set_userid (sa->sel, sa_info->sel.user);
 	sa->ce_mask             |= XFRM_SA_ATTR_SEL;
 
-	sa->id.daddr = _nl_addr_build(sa_info->family, &sa_info->id.daddr);
+	if (!(sa->id.daddr = _nl_addr_build(sa_info->family, &sa_info->id.daddr))) {
+		err = -NLE_NOMEM;
+		goto errout;
+	}
 	sa->id.spi              = ntohl(sa_info->id.spi);
 	sa->id.proto            = sa_info->id.proto;
 	sa->ce_mask             |= (XFRM_SA_ATTR_DADDR | XFRM_SA_ATTR_SPI | XFRM_SA_ATTR_PROTO);
 
-	sa->saddr = _nl_addr_build(sa_info->family, &sa_info->saddr);
+	if (!(sa->saddr = _nl_addr_build(sa_info->family, &sa_info->saddr))) {
+		err = -NLE_NOMEM;
+		goto errout;
+	}
 	sa->ce_mask             |= XFRM_SA_ATTR_SADDR;
 
 	sa->lft->soft_byte_limit    =   sa_info->lft.soft_byte_limit;
@@ -938,8 +950,11 @@ int xfrmnl_sa_parse(struct nlmsghdr *n, struct xfrmnl_sa **result)
 		sa->encap->encap_type   =   encap->encap_type;
 		sa->encap->encap_sport  =   ntohs(encap->encap_sport);
 		sa->encap->encap_dport  =   ntohs(encap->encap_dport);
-		sa->encap->encap_oa =
-			_nl_addr_build(sa_info->family, &encap->encap_oa);
+		if (!(sa->encap->encap_oa = _nl_addr_build(sa_info->family,
+							   &encap->encap_oa))) {
+			err = -NLE_NOMEM;
+			goto errout;
+		}
 		sa->ce_mask     |= XFRM_SA_ATTR_ENCAP;
 	}
 
@@ -949,8 +964,11 @@ int xfrmnl_sa_parse(struct nlmsghdr *n, struct xfrmnl_sa **result)
 	}
 
 	if (tb[XFRMA_COADDR]) {
-		sa->coaddr = _nl_addr_build(sa_info->family,
-					    nla_data(tb[XFRMA_COADDR]));
+		if (!(sa->coaddr = _nl_addr_build(
+			      sa_info->family, nla_data(tb[XFRMA_COADDR])))) {
+			err = -NLE_NOMEM;
+			goto errout;
+		}
 		sa->ce_mask         |= XFRM_SA_ATTR_COADDR;
 	}
 

diff --git a/lib/xfrm/sp.c b/lib/xfrm/sp.c
@@ -592,12 +592,18 @@ int xfrmnl_sp_parse(struct nlmsghdr *n, struct xfrmnl_sp **result)
 		goto errout;
 	}
 
-	addr1 = _nl_addr_build(sp_info->sel.family, &sp_info->sel.daddr);
+	if (!(addr1 = _nl_addr_build(sp_info->sel.family, &sp_info->sel.daddr))) {
+		err = -NLE_NOMEM;
+		goto errout;
+	}
 	nl_addr_set_prefixlen (addr1, sp_info->sel.prefixlen_d);
 	xfrmnl_sel_set_daddr (sp->sel, addr1);
 	xfrmnl_sel_set_prefixlen_d (sp->sel, sp_info->sel.prefixlen_d);
 
-	addr2 = _nl_addr_build(sp_info->sel.family, &sp_info->sel.saddr);
+	if (!(addr2 = _nl_addr_build(sp_info->sel.family, &sp_info->sel.saddr))) {
+		err = -NLE_NOMEM;
+		goto errout;
+	}
 	nl_addr_set_prefixlen (addr2, sp_info->sel.prefixlen_s);
 	xfrmnl_sel_set_saddr (sp->sel, addr2);
 	xfrmnl_sel_set_prefixlen_s (sp->sel, sp_info->sel.prefixlen_s);
@@ -673,13 +679,19 @@ int xfrmnl_sp_parse(struct nlmsghdr *n, struct xfrmnl_sp **result)
 				goto errout;
 			}
 
-			addr1 = _nl_addr_build(tmpl->family, &tmpl->id.daddr);
+			if (!(addr1 = _nl_addr_build(tmpl->family, &tmpl->id.daddr))) {
+				err = -NLE_NOMEM;
+				goto errout;
+			}
 			xfrmnl_user_tmpl_set_daddr (sputmpl, addr1);
 			xfrmnl_user_tmpl_set_spi (sputmpl, ntohl(tmpl->id.spi));
 			xfrmnl_user_tmpl_set_proto (sputmpl, tmpl->id.proto);
 			xfrmnl_user_tmpl_set_family (sputmpl, tmpl->family);
 
-			addr2 = _nl_addr_build(tmpl->family, &tmpl->saddr);
+			if (!(addr2 = _nl_addr_build(tmpl->family, &tmpl->saddr))) {
+				err = -NLE_NOMEM;
+				goto errout;
+			}
 			xfrmnl_user_tmpl_set_saddr (sputmpl, addr2);
 
 			xfrmnl_user_tmpl_set_reqid (sputmpl, tmpl->reqid);