From: Chuck Lever chuck.lever@oracle.com
stable inclusion from stable-v4.19.270 commit 76f2497a2faa6a4e91efb94a7f55705b403273fd category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I6DPF8 CVE: NA
--------------------------------
commit da522b5fe1a5f8b7c20a0023e87b52a150e53bf5 upstream.
Fixes: 030d794bf498 ("SUNRPC: Use gssproxy upcall for server RPCGSS authentication.") Signed-off-by: Chuck Lever chuck.lever@oracle.com Cc: stable@vger.kernel.org Reviewed-by: Jeff Layton jlayton@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
Conflicts: net/sunrpc/auth_gss/svcauth_gss.c
Signed-off-by: Baisong Zhong zhongbaisong@huawei.com Reviewed-by: Liu Jian liujian56@huawei.com Signed-off-by: Yongqiang Liu liuyongqiang13@huawei.com --- net/sunrpc/auth_gss/svcauth_gss.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c index b18b23b3a994..047029959d45 100644 --- a/net/sunrpc/auth_gss/svcauth_gss.c +++ b/net/sunrpc/auth_gss/svcauth_gss.c @@ -1092,8 +1092,10 @@ gss_read_proxy_verf(struct svc_rqst *rqstp, return res;
inlen = svc_getnl(argv); - if (inlen > (argv->iov_len + rqstp->rq_arg.page_len)) + if (inlen > (argv->iov_len + rqstp->rq_arg.page_len)) { + kfree(in_handle->data); return SVC_DENIED; + }
in_token->pages = rqstp->rq_pages; in_token->page_base = (ulong)argv->iov_base & ~PAGE_MASK;