From: Zhipeng Lu <alexious@zju.edu.cn>
Date: Sun, 24 Dec 2023 16:20:33 +0800
Subject: [PATCH] SUNRPC: fix a memleak in gss_import_v2_context
Git-commit: e67b652d8e8591d3b1e569dbcdfcee15993e91fa
Patch-mainline: v6.9-rc1
References: git-fixes CVE-2023-52653 bsc#1223712

The ctx->mech_used.data allocated by kmemdup is not freed in neither
gss_import_v2_context nor it only caller gss_krb5_import_sec_context,
which frees ctx on error.

Thus, this patch reform the last call of gss_import_v2_context to the
gss_krb5_import_ctx_v2, preventing the memleak while keepping the return
formation.

Fixes: 47d848077629 ("gss_krb5: handle new context format from gssd")
Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Acked-by: NeilBrown <neilb@suse.com>

---
 net/sunrpc/auth_gss/gss_krb5_mech.c |   15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

--- a/net/sunrpc/auth_gss/gss_krb5_mech.c
+++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
@@ -584,6 +584,7 @@ gss_import_v2_context(const void *p, con
 		gfp_t gfp_mask)
 {
 	int keylen;
+	int ret;
 
 	p = simple_get_bytes(p, end, &ctx->flags, sizeof(ctx->flags));
 	if (IS_ERR(p))
@@ -638,16 +639,22 @@ gss_import_v2_context(const void *p, con
 
 	switch (ctx->enctype) {
 	case ENCTYPE_DES3_CBC_RAW:
-		return context_derive_keys_des3(ctx, gfp_mask);
+		ret = context_derive_keys_des3(ctx, gfp_mask);
+		break;
 	case ENCTYPE_ARCFOUR_HMAC:
-		return context_derive_keys_rc4(ctx);
+		ret = context_derive_keys_rc4(ctx);
+		break;
 	case ENCTYPE_AES128_CTS_HMAC_SHA1_96:
 	case ENCTYPE_AES256_CTS_HMAC_SHA1_96:
-		return context_derive_keys_new(ctx, gfp_mask);
+		ret = context_derive_keys_new(ctx, gfp_mask);
+		break;
 	default:
-		return -EINVAL;
+		ret = -EINVAL;
 	}
 
+	if (ret)
+		kfree(ctx->mech_used.data);
+	return ret;
 out_err:
 	return PTR_ERR(p);
 }