Hi Chuck,

On Wed, Oct 19, 2022 at 11:50 AM Chuck Lever III [off-list ref] wrote:

quoted

On Oct 8, 2022, at 2:58 PM, Chuck Lever [off-list ref] wrote:

If a zero length is passed to kmalloc() it returns 0x10, which is
not a valid address. gss_unwrap_resp_integ() subsequently crashes
when it attempts to dereference that pointer.

Signed-off-by: Chuck Lever <redacted>

Hi, is there a plan to merge this patch, or does the fix need
a different approach?

Thanks for following up. I'm planning to include it in my next
bugfixes pull request.

Anna

quoted

---
net/sunrpc/auth_gss/auth_gss.c |    2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c
index a31a27816cc0..7bb247c51e2f 100644
--- a/net/sunrpc/auth_gss/auth_gss.c
+++ b/net/sunrpc/auth_gss/auth_gss.c

@@ -1989,7 +1989,7 @@ gss_unwrap_resp_integ(struct rpc_task *task, struct rpc_cred *cred,
              goto unwrap_failed;
      mic.len = len;
      mic.data = kmalloc(len, GFP_KERNEL);
-     if (!mic.data)
+     if (ZERO_OR_NULL_PTR(mic.data))
              goto unwrap_failed;
      if (read_bytes_from_xdr_buf(rcv_buf, offset, mic.data, mic.len))
              goto unwrap_failed;

--
Chuck Lever