[PATCH 4.14 131/167] target/iscsi: avoid NULL dereference in CHAP auth error path

From: Greg Kroah-Hartman
Date: Wed Feb 21 2018 - 08:59:25 EST


4.14-stable review patch. If anyone has any objections, please let me know.

------------------

From: David Disseldorp <ddiss@xxxxxxx>

commit ce512d79d0466a604793addb6b769d12ee326822 upstream.

If chap_server_compute_md5() fails early, e.g. via CHAP_N mismatch, then
crypto_free_shash() is called with a NULL pointer which gets
dereferenced in crypto_shash_tfm().

Fixes: 69110e3cedbb ("iscsi-target: Use shash and ahash")
Suggested-by: Markus Elfring <elfring@xxxxxxxxxxxxxxxxxxxxx>
Signed-off-by: David Disseldorp <ddiss@xxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx # 4.6+
Signed-off-by: Nicholas Bellinger <nab@xxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
drivers/target/iscsi/iscsi_target_auth.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/target/iscsi/iscsi_target_auth.c
+++ b/drivers/target/iscsi/iscsi_target_auth.c
@@ -421,7 +421,8 @@ static int chap_server_compute_md5(
auth_ret = 0;
out:
kzfree(desc);
- crypto_free_shash(tfm);
+ if (tfm)
+ crypto_free_shash(tfm);
kfree(challenge);
kfree(challenge_binhex);
return auth_ret;