Commit 6df164e2 authored Aug 11, 2025 by Lei Lu Committed by Chuck Lever Sep 21, 2025

sunrpc: fix null pointer dereference on zero-length checksum



In xdr_stream_decode_opaque_auth(), zero-length checksum.len causes
checksum.data to be set to NULL. This triggers a NPD when accessing
checksum.data in gss_krb5_verify_mic_v2(). This patch ensures that
the value of checksum.len is not less than XDR_UNIT.

Fixes: 0653028e ("SUNRPC: Convert gss_verify_header() to use xdr_stream")
Cc: stable@kernel.org
Signed-off-by: Lei Lu <llfamsec@gmail.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

parent 07e27ad1

net/sunrpc/auth_gss/svcauth_gss.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -724,7 +724,7 @@ svcauth_gss_verify_header(struct svc_rqst rqstp, struct rsc rsci,
		rqstp->rq_auth_stat = rpc_autherr_badverf;
		return SVC_DENIED;
		}
		if (flavor != RPC_AUTH_GSS) {
		if (flavor != RPC_AUTH_GSS \|\| checksum.len < XDR_UNIT) {
		rqstp->rq_auth_stat = rpc_autherr_badverf;
		return SVC_DENIED;
		}