git/linux-cryptodev-2.6
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git synced 2026-04-05 05:07:47 -04:00
Code Issues Packages Projects Releases Wiki Activity

SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf

Browse Source 
A zero length gss_token results in pages == 0 and in_token->pages[0]
is NULL. The code unconditionally evaluates
page_address(in_token->pages[0]) for the initial memcpy, which can
dereference NULL even when the copy length is 0. Guard the first
memcpy so it only runs when length > 0.

Fixes: 5866efa8cb ("SUNRPC: Fix svcauth_gss_proxy_init()")
Cc: stable@vger.kernel.org
Signed-off-by: Joshua Rogers <linux@joshua.hu>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
This commit is contained in:
Joshua Rogers
2025-11-07 10:05:33 -05:00
committed by Chuck Lever
parent df8c841dd9
commit d4b69a6186
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
net/sunrpc/auth_gss/svcauth_gss.c
View File

@@ -1083,7 +1083,8 @@ static int gss_read_proxy_verf(struct svc_rqst *rqstp,
}
length = min_t(unsigned int, inlen, (char *)xdr->end - (char *)xdr->p);
memcpy(page_address(in_token->pages[0]), xdr->p, length);
if (length)
memcpy(page_address(in_token->pages[0]), xdr->p, length);
inlen -= length;
to_offs = length;