SUNRPC: Fix loop termination condition in gss_free_in_token_pages()

commit 4a77c3dead97339478c7422eb07bf4bf63577008 upstream.

The in_token->pages[] array is not NULL terminated. This results in
the following KASAN splat:

  KASAN: maybe wild-memory-access in range [0x04a2013400000008-0x04a201340000000f]

Fixes: bafa6b4d95d9 ("SUNRPC: Fix gss_free_in_token_pages()")
Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
index 053c65da04bcaba2f46b7147759816a76586a65b..f583a325a9255a04c03662e2011b5f73208cd67f 100644 (file)
--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -1104,7 +1104,7 @@ static int gss_read_proxy_verf(struct svc_rqst *rqstp,
        }
 
        pages = DIV_ROUND_UP(inlen, PAGE_SIZE);
-       in_token->pages = kcalloc(pages, sizeof(struct page *), GFP_KERNEL);
+       in_token->pages = kcalloc(pages + 1, sizeof(struct page *), GFP_KERNEL);
        if (!in_token->pages) {
                kfree(in_handle->data);
                return SVC_DENIED;