SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf

Joshua Rogers · chucklever · commit d4b69a6186b2 · 2025-12-08T10:51:26.000-05:00
A zero length gss_token results in pages == 0 and in_token->pages[0] is NULL. The code unconditionally evaluates page_address(in_token->pages[0]) for the initial memcpy, which can dereference NULL even when the copy length is 0. Guard the first memcpy so it only runs when length > 0. Fixes: 5866efa ("SUNRPC: Fix svcauth_gss_proxy_init()") Cc: stable@vger.kernel.org Signed-off-by: Joshua Rogers <linux@joshua.hu> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -1083,7 +1083,8 @@ static int gss_read_proxy_verf(struct svc_rqst *rqstp,
 	}
 
 	length = min_t(unsigned int, inlen, (char *)xdr->end - (char *)xdr->p);
-	memcpy(page_address(in_token->pages[0]), xdr->p, length);
+	if (length)
+		memcpy(page_address(in_token->pages[0]), xdr->p, length);
 	inlen -= length;
 
 	to_offs = length;

Original file line number	Diff line number	Diff line change
`@@ -1083,7 +1083,8 @@ static int gss_read_proxy_verf(struct svc_rqst *rqstp,`
`1083`	`1083`	`}`
`1084`	`1084`
`1085`	`1085`	`length = min_t(unsigned int, inlen, (char )xdr->end - (char )xdr->p);`
`1086`		`- memcpy(page_address(in_token->pages[0]), xdr->p, length);`
	`1086`	`+ if (length)`
	`1087`	`+ memcpy(page_address(in_token->pages[0]), xdr->p, length);`
`1087`	`1088`	`inlen -= length;`
`1088`	`1089`
`1089`	`1090`	`to_offs = length;`