summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKeenan Dong <keenanat2000@gmail.com>2026-04-08 13:12:41 +0100
committerJakub Kicinski <kuba@kernel.org>2026-04-08 18:44:33 -0700
commita2567217ade970ecc458144b6be469bc015b23e5 (patch)
tree5c7987ec14cf3e7a843ff7de56bbf3657d5dfeb8
parent3e3138007887504ee9206d0bfb5acb062c600025 (diff)
downloadlwn-a2567217ade970ecc458144b6be469bc015b23e5.tar.gz
lwn-a2567217ade970ecc458144b6be469bc015b23e5.zip
rxrpc: fix oversized RESPONSE authenticator length check
rxgk_verify_response() decodes auth_len from the packet and is supposed to verify that it fits in the remaining bytes. The existing check is inverted, so oversized RESPONSE authenticators are accepted and passed to rxgk_decrypt_skb(), which can later reach skb_to_sgvec() with an impossible length and hit BUG_ON(len). Decoded from the original latest-net reproduction logs with scripts/decode_stacktrace.sh: RIP: __skb_to_sgvec() [net/core/skbuff.c:5285 (discriminator 1)] Call Trace: skb_to_sgvec() [net/core/skbuff.c:5305] rxgk_decrypt_skb() [net/rxrpc/rxgk_common.h:81] rxgk_verify_response() [net/rxrpc/rxgk.c:1268] rxrpc_process_connection() [net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364 net/rxrpc/conn_event.c:386] process_one_work() [kernel/workqueue.c:3281] worker_thread() [kernel/workqueue.c:3353 kernel/workqueue.c:3440] kthread() [kernel/kthread.c:436] ret_from_fork() [arch/x86/kernel/process.c:164] Reject authenticator lengths that exceed the remaining packet payload. Fixes: 9d1d2b59341f ("rxrpc: rxgk: Implement the yfs-rxgk security class (GSSAPI)") Signed-off-by: Keenan Dong <keenanat2000@gmail.com> Signed-off-by: David Howells <dhowells@redhat.com> cc: Marc Dionne <marc.dionne@auristor.com> cc: Simon Horman <horms@kernel.org> cc: Willy Tarreau <w@1wt.eu> cc: linux-afs@lists.infradead.org cc: stable@kernel.org Link: https://patch.msgid.link/20260408121252.2249051-14-dhowells@redhat.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat
-rw-r--r--net/rxrpc/rxgk.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/net/rxrpc/rxgk.c b/net/rxrpc/rxgk.c
index 01dbdf0b5cf2..9e4a4ff28913 100644
--- a/net/rxrpc/rxgk.c
+++ b/net/rxrpc/rxgk.c
@@ -1224,7 +1224,7 @@ static int rxgk_verify_response(struct rxrpc_connection *conn,
auth_offset = offset;
auth_len = ntohl(xauth_len);
- if (auth_len < len)
+ if (auth_len > len)
goto short_packet;
if (auth_len & 3)
goto inconsistent;