xfrm: fix potential NULL dereference

If xfrmnl_sel_alloc() returns NULL, the daddr and saddr members are
still accessed, leading to a potential NULL dereference. The same is the
case for xfrmnl_user_tmpl_alloc(). Fix this by returning NULL right away
if allocation fails.

http://lists.infradead.org/pipermail/libnl/2015-May/001874.html

Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
Signed-off-by: Thomas Haller <thaller@redhat.com>

2 files changed, 6 insertions, 4 deletions

diff --git a/lib/xfrm/selector.c b/lib/xfrm/selector.c
index 17e5101..d52d8df 100644
--- a/lib/xfrm/selector.c
+++ b/lib/xfrm/selector.c
@@ -97,9 +97,10 @@ struct xfrmnl_sel* xfrmnl_sel_clone(struct xfrmnl_sel* sel)
 	struct xfrmnl_sel* new;
 
 	new = xfrmnl_sel_alloc();
-	if (new)
-		memcpy ((void*)new, (void*)sel, sizeof (struct xfrmnl_sel));
+	if (!new)
+		return NULL;
 
+	memcpy(new, sel, sizeof(struct xfrmnl_sel));
 	new->daddr = nl_addr_clone(sel->daddr);
 	new->saddr = nl_addr_clone(sel->saddr);
 
diff --git a/lib/xfrm/template.c b/lib/xfrm/template.c
index 5d6d8c9..fdfa4c2 100644
--- a/lib/xfrm/template.c
+++ b/lib/xfrm/template.c
@@ -91,9 +91,10 @@ struct xfrmnl_user_tmpl* xfrmnl_user_tmpl_clone(struct xfrmnl_user_tmpl* utmpl)
 	struct xfrmnl_user_tmpl* new;
 
 	new = xfrmnl_user_tmpl_alloc();
-	if (new)
-		memcpy ((void*)new, (void*)utmpl, sizeof (struct xfrmnl_user_tmpl));
+	if (!new)
+		return NULL;
 
+	memcpy(new, utmpl, sizeof(struct xfrmnl_user_tmpl));
 	new->id.daddr = nl_addr_clone (utmpl->id.daddr);
 	new->saddr    = nl_addr_clone (utmpl->saddr);