[PATCH 6.18 80/83] rxrpc: Fix buffer overread in rxgk_do_verify_authenticator()
Greg Kroah-Hartman
gregkh at linuxfoundation.org
Mon Apr 13 09:00:48 PDT 2026
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells at redhat.com>
commit f564af387c8c28238f8ebc13314c589d7ba8475d upstream.
Fix rxgk_do_verify_authenticator() to check the buffer size before checking
the nonce.
Fixes: 9d1d2b59341f ("rxrpc: rxgk: Implement the yfs-rxgk security class (GSSAPI)")
Closes: https://sashiko.dev/#/patchset/20260401105614.1696001-10-dhowells@redhat.com
Signed-off-by: David Howells <dhowells at redhat.com>
cc: Marc Dionne <marc.dionne at auristor.com>
cc: Jeffrey Altman <jaltman at auristor.com>
cc: Simon Horman <horms at kernel.org>
cc: linux-afs at lists.infradead.org
cc: stable at kernel.org
Link: https://patch.msgid.link/20260408121252.2249051-20-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba at kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
---
net/rxrpc/rxgk.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/net/rxrpc/rxgk.c
+++ b/net/rxrpc/rxgk.c
@@ -1085,6 +1085,9 @@ static int rxgk_do_verify_authenticator(
_enter("");
+ if ((end - p) * sizeof(__be32) < 24)
+ return rxrpc_abort_conn(conn, skb, RXGK_NOTAUTH, -EPROTO,
+ rxgk_abort_resp_short_auth);
if (memcmp(p, conn->rxgk.nonce, 20) != 0)
return rxrpc_abort_conn(conn, skb, RXGK_NOTAUTH, -EPROTO,
rxgk_abort_resp_bad_nonce);
@@ -1098,7 +1101,7 @@ static int rxgk_do_verify_authenticator(
p += xdr_round_up(app_len) / sizeof(__be32);
if (end - p < 4)
return rxrpc_abort_conn(conn, skb, RXGK_NOTAUTH, -EPROTO,
- rxgk_abort_resp_short_applen);
+ rxgk_abort_resp_short_auth);
level = ntohl(*p++);
epoch = ntohl(*p++);
More information about the linux-afs
mailing list