On Wed, Jul 24, 2019 at 11:49:16AM +0800, Jia-Ju Bai wrote: > In receive_protocol(), when crypto_alloc_shash() on line 3754 fails, > peer_integrity_tfm is NULL, and error handling code is executed. > In this code, crypto_free_shash() is called with NULL, which can cause a > null-pointer dereference, because: > crypto_free_shash(NULL) > crypto_ahash_tfm(NULL) > "return &NULL->base" > > To fix this bug, peer_integrity_tfm is checked before calling > crypto_free_shash(). > > This bug is found by a static analysis tool STCheck written by us. > > Signed-off-by: Jia-Ju Bai <baijiaju1990@xxxxxxxxx> Reviewed-by: Roland Kammerer <roland.kammerer@xxxxxxxxxx>
