From: Chuck Lever <chuck.lever@oracle.com> stable inclusion from stable-v4.19.270 commit 76f2497a2faa6a4e91efb94a7f55705b403273fd category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I6DPF8 CVE: NA -------------------------------- commit da522b5fe1a5f8b7c20a0023e87b52a150e53bf5 upstream. Fixes: 030d794bf498 ("SUNRPC: Use gssproxy upcall for server RPCGSS authentication.") Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Cc: <stable@vger.kernel.org> Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Conflicts: net/sunrpc/auth_gss/svcauth_gss.c Signed-off-by: Baisong Zhong <zhongbaisong@huawei.com> Reviewed-by: Liu Jian <liujian56@huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com> --- net/sunrpc/auth_gss/svcauth_gss.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c index b18b23b3a994..047029959d45 100644 --- a/net/sunrpc/auth_gss/svcauth_gss.c +++ b/net/sunrpc/auth_gss/svcauth_gss.c @@ -1092,8 +1092,10 @@ gss_read_proxy_verf(struct svc_rqst *rqstp, return res; inlen = svc_getnl(argv); - if (inlen > (argv->iov_len + rqstp->rq_arg.page_len)) + if (inlen > (argv->iov_len + rqstp->rq_arg.page_len)) { + kfree(in_handle->data); return SVC_DENIED; + } in_token->pages = rqstp->rq_pages; in_token->page_base = (ulong)argv->iov_base & ~PAGE_MASK; -- 2.25.1