sunrpc: fix null pointer dereference on zero-length checksum

LLfam · chucklever · commit 6df164e29bd4 · 2025-09-21T19:24:50.000-04:00
In xdr_stream_decode_opaque_auth(), zero-length checksum.len causes checksum.data to be set to NULL. This triggers a NPD when accessing checksum.data in gss_krb5_verify_mic_v2(). This patch ensures that the value of checksum.len is not less than XDR_UNIT. Fixes: 0653028 ("SUNRPC: Convert gss_verify_header() to use xdr_stream") Cc: stable@kernel.org Signed-off-by: Lei Lu <llfamsec@gmail.com> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -724,7 +724,7 @@ svcauth_gss_verify_header(struct svc_rqst *rqstp, struct rsc *rsci,
 		rqstp->rq_auth_stat = rpc_autherr_badverf;
 		return SVC_DENIED;
 	}
-	if (flavor != RPC_AUTH_GSS) {
+	if (flavor != RPC_AUTH_GSS || checksum.len < XDR_UNIT) {
 		rqstp->rq_auth_stat = rpc_autherr_badverf;
 		return SVC_DENIED;
 	}

Original file line number	Diff line number	Diff line change
`@@ -724,7 +724,7 @@ svcauth_gss_verify_header(struct svc_rqst rqstp, struct rsc rsci,`
`724`	`724`	`rqstp->rq_auth_stat = rpc_autherr_badverf;`
`725`	`725`	`return SVC_DENIED;`
`726`	`726`	`}`
`727`		`- if (flavor != RPC_AUTH_GSS) {`
	`727`	`+ if (flavor != RPC_AUTH_GSS \|\| checksum.len < XDR_UNIT) {`
`728`	`728`	`rqstp->rq_auth_stat = rpc_autherr_badverf;`
`729`	`729`	`return SVC_DENIED;`
`730`	`730`	`}`