Patch "rxgk: Fix potential integer overflow in length check" has been added to the 7.0-stable tree

gregkh at linuxfoundation.org gregkh at linuxfoundation.org
Mon May 4 02:00:17 PDT 2026 

This is a note to let you know that I've just added the patch titled

    rxgk: Fix potential integer overflow in length check

to the 7.0-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     rxgk-fix-potential-integer-overflow-in-length-check.patch
and it can be found in the queue-7.0 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable at vger.kernel.org> know about it.


>From 6929350080f4da292d111a3b33e53138fee51cec Mon Sep 17 00:00:00 2001
From: David Howells <dhowells at redhat.com>
Date: Wed, 22 Apr 2026 17:14:34 +0100
Subject: rxgk: Fix potential integer overflow in length check

From: David Howells <dhowells at redhat.com>

commit 6929350080f4da292d111a3b33e53138fee51cec upstream.

Fix potential integer overflow in rxgk_extract_token() when checking the
length of the ticket.  Rather than rounding up the value to be tested
(which might overflow), round down the size of the available data.

Fixes: 2429a1976481 ("rxrpc: Fix untrusted unsigned subtract")
Closes: https://sashiko.dev/#/patchset/20260408121252.2249051-1-dhowells%40redhat.com
Signed-off-by: David Howells <dhowells at redhat.com>
cc: Marc Dionne <marc.dionne at auristor.com>
cc: Jeffrey Altman <jaltman at auristor.com>
cc: Simon Horman <horms at kernel.org>
cc: linux-afs at lists.infradead.org
cc: stable at kernel.org
Link: https://patch.msgid.link/20260422161438.2593376-6-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba at kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
---
 net/rxrpc/rxgk_app.c    |    2 +-
 net/rxrpc/rxgk_common.h |    1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

--- a/net/rxrpc/rxgk_app.c
+++ b/net/rxrpc/rxgk_app.c
@@ -214,7 +214,7 @@ int rxgk_extract_token(struct rxrpc_conn
 	ticket_len	= ntohl(container.token_len);
 	ticket_offset	= token_offset + sizeof(container);
 
-	if (xdr_round_up(ticket_len) > token_len - sizeof(container))
+	if (ticket_len > xdr_round_down(token_len - sizeof(container)))
 		goto short_packet;
 
 	_debug("KVNO %u", kvno);
--- a/net/rxrpc/rxgk_common.h
+++ b/net/rxrpc/rxgk_common.h
@@ -34,6 +34,7 @@ struct rxgk_context {
 };
 
 #define xdr_round_up(x) (round_up((x), sizeof(__be32)))
+#define xdr_round_down(x) (round_down((x), sizeof(__be32)))
 #define xdr_object_len(x) (4 + xdr_round_up(x))
 
 /*


Patches currently in stable-queue which might be from dhowells at redhat.com are

queue-7.0/rxrpc-fix-re-decryption-of-response-packets.patch
queue-7.0/rxrpc-fix-rxrpc_input_call_event-to-only-unshare-data-packets.patch
queue-7.0/rxrpc-fix-rxkad-crypto-unalignment-handling.patch
queue-7.0/rxrpc-fix-memory-leaks-in-rxkad_verify_response.patch
queue-7.0/fs-afs-revert-mmap_prepare-change.patch
queue-7.0/rxrpc-fix-potential-uaf-after-skb_unshare-failure.patch
queue-7.0/rxrpc-fix-conn-level-packet-handling-to-unshare-response-packets.patch
queue-7.0/rxgk-fix-potential-integer-overflow-in-length-check.patch
queue-7.0/rxrpc-fix-error-handling-in-rxgk_extract_token.patch

More information about the linux-afs mailing list