Commit 69293500 authored Apr 22, 2026 by David Howells Committed by Jakub Kicinski Apr 23, 2026

rxgk: Fix potential integer overflow in length check

Fix potential integer overflow in rxgk_extract_token() when checking the
length of the ticket.  Rather than rounding up the value to be tested
(which might overflow), round down the size of the available data.

Fixes: 2429a197 ("rxrpc: Fix untrusted unsigned subtract")
Closes: https://sashiko.dev/#/patchset/20260408121252.2249051-1-dhowells%40redhat.com


Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Jeffrey Altman <jaltman@auristor.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: stable@kernel.org
Link: https://patch.msgid.link/20260422161438.2593376-6-dhowells@redhat.com


Signed-off-by: Jakub Kicinski <kuba@kernel.org>

parent 24481a7f

net/rxrpc/rxgk_app.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -214,7 +214,7 @@ int rxgk_extract_token(struct rxrpc_connection conn, struct sk_buff skb,
		ticket_len = ntohl(container.token_len);
		ticket_offset = token_offset + sizeof(container);

		if (xdr_round_up(ticket_len) > token_len - sizeof(container))
		if (ticket_len > xdr_round_down(token_len - sizeof(container)))
		goto short_packet;

		_debug("KVNO %u", kvno);

net/rxrpc/rxgk_common.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -34,6 +34,7 @@ struct rxgk_context {
		};

		#define xdr_round_up(x) (round_up((x), sizeof(__be32)))
		#define xdr_round_down(x) (round_down((x), sizeof(__be32)))
		#define xdr_object_len(x) (4 + xdr_round_up(x))

		/*