Commit d4b69a61 authored Nov 07, 2025 by Joshua Rogers Committed by Chuck Lever Dec 08, 2025

SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf



A zero length gss_token results in pages == 0 and in_token->pages[0]
is NULL. The code unconditionally evaluates
page_address(in_token->pages[0]) for the initial memcpy, which can
dereference NULL even when the copy length is 0. Guard the first
memcpy so it only runs when length > 0.

Fixes: 5866efa8 ("SUNRPC: Fix svcauth_gss_proxy_init()")
Cc: stable@vger.kernel.org
Signed-off-by: Joshua Rogers <linux@joshua.hu>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

parent df8c841d

net/sunrpc/auth_gss/svcauth_gss.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -1083,6 +1083,7 @@ static int gss_read_proxy_verf(struct svc_rqst *rqstp,
		}

		length = min_t(unsigned int, inlen, (char )xdr->end - (char )xdr->p);
		if (length)
		memcpy(page_address(in_token->pages[0]), xdr->p, length);
		inlen -= length;