rpc: fix NULL dereference on kmalloc failure
I think this is unlikely but possible: svc_authenticate sets rq_authop and calls svcauth_gss_accept. The kmalloc(sizeof(*svcdata), GFP_KERNEL) fails, leaving rq_auth_data NULL, and returning SVC_DENIED. This causes svc_process_common to go to err_bad_auth, and eventually call svc_authorise. That calls ->release == svcauth_gss_release, which tries to dereference rq_auth_data. Signed-off-by: J. Bruce Fields <bfields@redhat.com> Link: https://lore.kernel.org/linux-nfs/3F1B347F-B809-478F-A1E9-0BE98E22B0F0@oracle.com/T/#t Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
This commit is contained in:
Родитель
f1442d6349
Коммит
0ddc942394
|
@ -1825,11 +1825,14 @@ static int
|
|||
svcauth_gss_release(struct svc_rqst *rqstp)
|
||||
{
|
||||
struct gss_svc_data *gsd = (struct gss_svc_data *)rqstp->rq_auth_data;
|
||||
struct rpc_gss_wire_cred *gc = &gsd->clcred;
|
||||
struct rpc_gss_wire_cred *gc;
|
||||
struct xdr_buf *resbuf = &rqstp->rq_res;
|
||||
int stat = -EINVAL;
|
||||
struct sunrpc_net *sn = net_generic(SVC_NET(rqstp), sunrpc_net_id);
|
||||
|
||||
if (!gsd)
|
||||
goto out;
|
||||
gc = &gsd->clcred;
|
||||
if (gc->gc_proc != RPC_GSS_PROC_DATA)
|
||||
goto out;
|
||||
/* Release can be called twice, but we only wrap once. */
|
||||
|
@ -1870,10 +1873,10 @@ out_err:
|
|||
if (rqstp->rq_cred.cr_group_info)
|
||||
put_group_info(rqstp->rq_cred.cr_group_info);
|
||||
rqstp->rq_cred.cr_group_info = NULL;
|
||||
if (gsd->rsci)
|
||||
if (gsd && gsd->rsci) {
|
||||
cache_put(&gsd->rsci->h, sn->rsc_cache);
|
||||
gsd->rsci = NULL;
|
||||
|
||||
gsd->rsci = NULL;
|
||||
}
|
||||
return stat;
|
||||
}
|
||||
|
||||
|
|
Загрузка…
Ссылка в новой задаче