]> git.ipfire.org Git - thirdparty/kernel/stable.git/commit
projects / thirdparty / kernel / stable.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: df8c841) | patch
SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf
authorJoshua Rogers <linux@joshua.hu>
Fri, 7 Nov 2025 15:05:33 +0000 (10:05 -0500)
committerChuck Lever <chuck.lever@oracle.com>
Mon, 8 Dec 2025 15:51:26 +0000 (10:51 -0500)
commitd4b69a6186b215d2dc1ebcab965ed88e8d41768d
tree01f00c7fc99f4114596181f3582f297e855c901atree | snapshot
parentdf8c841dd92a7f262ad4fa649aa493b181e02812commit | diff
SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf

A zero length gss_token results in pages == 0 and in_token->pages[0]
is NULL. The code unconditionally evaluates
page_address(in_token->pages[0]) for the initial memcpy, which can
dereference NULL even when the copy length is 0. Guard the first
memcpy so it only runs when length > 0.

Fixes: 5866efa8cbfb ("SUNRPC: Fix svcauth_gss_proxy_init()")
Cc: stable@vger.kernel.org
Signed-off-by: Joshua Rogers <linux@joshua.hu>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
net/sunrpc/auth_gss/svcauth_gss.c diff | blob | blame | history
Mirror https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git