libceph: don't call crypto_free_sync_skcipher() on a NULL tfm

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

In set_secret(), key->tfm is assigned to NULL on line 55, and then
ceph_crypto_key_destroy(key) is executed.

ceph_crypto_key_destroy(key)
crypto_free_sync_skcipher(key->tfm)
crypto_free_skcipher(&tfm->base);

This happens to work because crypto_sync_skcipher is a trivial wrapper
around crypto_skcipher: &tfm->base is still 0 and crypto_free_skcipher()
handles that. Let's not rely on the layout of crypto_sync_skcipher.

This bug is found by a static analysis tool STCheck written by us.

Fixes: 69d6302b65a8 ("libceph: Remove VLA usage of skcipher").
Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>

authored by

Jia-Ju Bai and committed by

Ilya Dryomov 6 years ago e8c99200 a55aa89a

+4 -2

1 changed file

expand all

net

ceph

crypto.c

+4 -2

net/ceph/crypto.c

··· 136 136 if (key) { 137 137 kfree(key->key); 138 138 key->key = NULL; 139 - crypto_free_sync_skcipher(key->tfm); 140 - key->tfm = NULL; 139 + if (key->tfm) { 140 + crypto_free_sync_skcipher(key->tfm); 141 + key->tfm = NULL; 142 + } 141 143 } 142 144 } 143 145