Commit 2e2d6f1e authored by Stephan Mueller's avatar Stephan Mueller Committed by Greg Kroah-Hartman

crypto: drbg - set freed buffers to NULL

commit eea0d3ea upstream.

During freeing of the internal buffers used by the DRBG, set the pointer
to NULL. It is possible that the context with the freed buffers is
reused. In case of an error during initialization where the pointers
do not yet point to allocated memory, the NULL value prevents a double
free.

Cc: stable@vger.kernel.org
Fixes: 3cfc3b97 ("crypto: drbg - use aligned buffers")
Signed-off-by: default avatarStephan Mueller <smueller@chronox.de>
Reported-by: syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com
Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 8970c12a
...@@ -1134,8 +1134,10 @@ static inline void drbg_dealloc_state(struct drbg_state *drbg) ...@@ -1134,8 +1134,10 @@ static inline void drbg_dealloc_state(struct drbg_state *drbg)
if (!drbg) if (!drbg)
return; return;
kzfree(drbg->Vbuf); kzfree(drbg->Vbuf);
drbg->Vbuf = NULL;
drbg->V = NULL; drbg->V = NULL;
kzfree(drbg->Cbuf); kzfree(drbg->Cbuf);
drbg->Cbuf = NULL;
drbg->C = NULL; drbg->C = NULL;
kzfree(drbg->scratchpadbuf); kzfree(drbg->scratchpadbuf);
drbg->scratchpadbuf = NULL; drbg->scratchpadbuf = NULL;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment