The function set_sadb_address() calls the function pfkey_sockaddr_fill(), but does not check its return value. A proper implementation can be found in set_sadb_kmaddress().
Add an error check for set_sadb_address(), return error code if the function fails.
Fixes: e5b56652c11b ("key: Share common code path to fill sockaddr{}.") Cc: stable@vger.kernel.org # v2.6 Signed-off-by: Wentao Liang vulab@iscas.ac.cn --- net/key/af_key.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/net/key/af_key.c b/net/key/af_key.c index c56bb4f451e6..537c9604e356 100644 --- a/net/key/af_key.c +++ b/net/key/af_key.c @@ -3474,15 +3474,17 @@ static int set_sadb_address(struct sk_buff *skb, int sasize, int type, switch (type) { case SADB_EXT_ADDRESS_SRC: addr->sadb_address_prefixlen = sel->prefixlen_s; - pfkey_sockaddr_fill(&sel->saddr, 0, - (struct sockaddr *)(addr + 1), - sel->family); + if (!pfkey_sockaddr_fill(&sel->saddr, 0, + (struct sockaddr *)(addr + 1), + sel->family)) + return -EINVAL; break; case SADB_EXT_ADDRESS_DST: addr->sadb_address_prefixlen = sel->prefixlen_d; - pfkey_sockaddr_fill(&sel->daddr, 0, - (struct sockaddr *)(addr + 1), - sel->family); + if (!pfkey_sockaddr_fill(&sel->daddr, 0, + (struct sockaddr *)(addr + 1), + sel->family)) + return -EINVAL; break; default: return -EINVAL;