commit d4b69a6186b215d2dc1ebcab965ed88e8d41768d · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf

A zero length gss_token results in pages == 0 and in_token->pages[0]
is NULL. The code unconditionally evaluates
page_address(in_token->pages[0]) for the initial memcpy, which can
dereference NULL even when the copy length is 0. Guard the first
memcpy so it only runs when length > 0.

Fixes: 5866efa8cbfb ("SUNRPC: Fix svcauth_gss_proxy_init()")
Cc: stable@vger.kernel.org
Signed-off-by: Joshua Rogers <linux@joshua.hu>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

authored by Joshua Rogers and committed by Chuck Lever 2 months ago d4b69a61 df8c841d

+2 -1

1 changed file

expand all

unified split

net

sunrpc

auth_gss

svcauth_gss.c

+2 -1

net/sunrpc/auth_gss/svcauth_gss.c

··· 1083 } 1084 1085 length = min_t(unsigned int, inlen, (char *)xdr->end - (char *)xdr->p); 1086 - memcpy(page_address(in_token->pages[0]), xdr->p, length); 1087 inlen -= length; 1088 1089 to_offs = length;

··· 1083 } 1084 1085 length = min_t(unsigned int, inlen, (char *)xdr->end - (char *)xdr->p); 1086 + if (length) 1087 + memcpy(page_address(in_token->pages[0]), xdr->p, length); 1088 inlen -= length; 1089 1090 to_offs = length;