Thread (3 messages) 3 messages, 2 authors, 2022-10-20

Re: [PATCH] SUNRPC: Fix crasher in gss_unwrap_resp_integ()

From: Chuck Lever III <hidden>
Date: 2022-10-19 15:45:02 

On Oct 8, 2022, at 2:58 PM, Chuck Lever [off-list ref] wrote:

If a zero length is passed to kmalloc() it returns 0x10, which is
not a valid address. gss_unwrap_resp_integ() subsequently crashes
when it attempts to dereference that pointer.

Signed-off-by: Chuck Lever <redacted>
Hi, is there a plan to merge this patch, or does the fix need
a different approach?


quoted hunk ↗ jump to hunk
---
net/sunrpc/auth_gss/auth_gss.c |    2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c
index a31a27816cc0..7bb247c51e2f 100644
--- a/net/sunrpc/auth_gss/auth_gss.c
+++ b/net/sunrpc/auth_gss/auth_gss.c
@@ -1989,7 +1989,7 @@ gss_unwrap_resp_integ(struct rpc_task *task, struct rpc_cred *cred,
		goto unwrap_failed;
	mic.len = len;
	mic.data = kmalloc(len, GFP_KERNEL);
-	if (!mic.data)
+	if (ZERO_OR_NULL_PTR(mic.data))
		goto unwrap_failed;
	if (read_bytes_from_xdr_buf(rcv_buf, offset, mic.data, mic.len))
		goto unwrap_failed;

--
Chuck Lever



  



    
  

  
    

      

        Keyboard shortcuts
      

      

        
          
hback out one level

          
jnext message in thread

          
kprevious message in thread

          
ldrill in

          
Escclose help / fold thread tree

          
?toggle this help