Commit 0ddc9423 authored by J. Bruce Fields's avatar J. Bruce Fields Committed by Chuck Lever
Browse files

rpc: fix NULL dereference on kmalloc failure 



I think this is unlikely but possible:

svc_authenticate sets rq_authop and calls svcauth_gss_accept.  The
kmalloc(sizeof(*svcdata), GFP_KERNEL) fails, leaving rq_auth_data NULL,
and returning SVC_DENIED.

This causes svc_process_common to go to err_bad_auth, and eventually
call svc_authorise.  That calls ->release == svcauth_gss_release, which
tries to dereference rq_auth_data.

Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
Link: https://lore.kernel.org/linux-nfs/3F1B347F-B809-478F-A1E9-0BE98E22B0F0@oracle.com/T/#t


Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
parent f1442d63

net/sunrpc/auth_gss/svcauth_gss.c

+7 −4
Original line number Diff line number Diff line
@@ -1825,11 +1825,14 @@ static int 
svcauth_gss_release(struct svc_rqst *rqstp)

{

	struct gss_svc_data *gsd = (struct gss_svc_data *)rqstp->rq_auth_data;

	struct rpc_gss_wire_cred *gc = &gsd->clcred;

	struct rpc_gss_wire_cred *gc;

	struct xdr_buf *resbuf = &rqstp->rq_res;

	int stat = -EINVAL;

	struct sunrpc_net *sn = net_generic(SVC_NET(rqstp), sunrpc_net_id);



	if (!gsd)

		goto out;

	gc = &gsd->clcred;

	if (gc->gc_proc != RPC_GSS_PROC_DATA)

		goto out;

	/* Release can be called twice, but we only wrap once. */
@@ -1870,10 +1873,10 @@ svcauth_gss_release(struct svc_rqst *rqstp) 
	if (rqstp->rq_cred.cr_group_info)

		put_group_info(rqstp->rq_cred.cr_group_info);

	rqstp->rq_cred.cr_group_info = NULL;

	if (gsd->rsci)

	if (gsd && gsd->rsci) {

		cache_put(&gsd->rsci->h, sn->rsc_cache);

		gsd->rsci = NULL;



	}

	return stat;

}