From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Scott Mayhew <smayhew@redhat.com>,
Simo Sorce <simo@redhat.com>,
"J. Bruce Fields" <bfields@redhat.com>
Subject: [PATCH 3.14 51/64] svcrpc: fix potential GSSX_ACCEPT_SEC_CONTEXT decoding failures
Date: Wed, 3 Jun 2015 20:43:19 +0900 [thread overview]
Message-ID: <20150603063930.671964427@linuxfoundation.org> (raw)
In-Reply-To: <20150603063928.472620468@linuxfoundation.org>
3.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Scott Mayhew <smayhew@redhat.com>
commit 9507271d960a1911a51683888837d75c171cd91f upstream.
In an environment where the KDC is running Active Directory, the
exported composite name field returned in the context could be large
enough to span a page boundary. Attaching a scratch buffer to the
decoding xdr_stream helps deal with those cases.
The case where we saw this was actually due to behavior that's been
fixed in newer gss-proxy versions, but we're fixing it here too.
Signed-off-by: Scott Mayhew <smayhew@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sunrpc/auth_gss/gss_rpc_xdr.c | 23 ++++++++++++++++-------
1 file changed, 16 insertions(+), 7 deletions(-)
--- a/net/sunrpc/auth_gss/gss_rpc_xdr.c
+++ b/net/sunrpc/auth_gss/gss_rpc_xdr.c
@@ -793,20 +793,26 @@ int gssx_dec_accept_sec_context(struct r
{
u32 value_follows;
int err;
+ struct page *scratch;
+
+ scratch = alloc_page(GFP_KERNEL);
+ if (!scratch)
+ return -ENOMEM;
+ xdr_set_scratch_buffer(xdr, page_address(scratch), PAGE_SIZE);
/* res->status */
err = gssx_dec_status(xdr, &res->status);
if (err)
- return err;
+ goto out_free;
/* res->context_handle */
err = gssx_dec_bool(xdr, &value_follows);
if (err)
- return err;
+ goto out_free;
if (value_follows) {
err = gssx_dec_ctx(xdr, res->context_handle);
if (err)
- return err;
+ goto out_free;
} else {
res->context_handle = NULL;
}
@@ -814,11 +820,11 @@ int gssx_dec_accept_sec_context(struct r
/* res->output_token */
err = gssx_dec_bool(xdr, &value_follows);
if (err)
- return err;
+ goto out_free;
if (value_follows) {
err = gssx_dec_buffer(xdr, res->output_token);
if (err)
- return err;
+ goto out_free;
} else {
res->output_token = NULL;
}
@@ -826,14 +832,17 @@ int gssx_dec_accept_sec_context(struct r
/* res->delegated_cred_handle */
err = gssx_dec_bool(xdr, &value_follows);
if (err)
- return err;
+ goto out_free;
if (value_follows) {
/* we do not support upcall servers sending this data. */
- return -EINVAL;
+ err = -EINVAL;
+ goto out_free;
}
/* res->options */
err = gssx_dec_option_array(xdr, &res->options);
+out_free:
+ __free_page(scratch);
return err;
}
next prev parent reply other threads:[~2015-06-03 13:03 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-06-03 11:42 [PATCH 3.14 00/64] 3.14.44-stable review Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 01/64] staging: wlags49_h2: fix extern inline functions Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 02/64] staging, rtl8192e, LLVMLinux: Change extern inline to static inline Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 03/64] staging: rtl8712, rtl8712: avoid lots of build warnings Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 04/64] staging, rtl8192e, LLVMLinux: Remove unused inline prototype Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 05/64] kernel: use the gnu89 standard explicitly Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 06/64] qla2xxx: remove redundant declaration in qla_gbl.h Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 07/64] KVM: MMU: fix CR4.SMEP=1, CR0.WP=0 with shadow pages Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 08/64] net: socket: Fix the wrong returns for recvmsg and sendmsg Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 09/64] fs, omfs: add NULL terminator in the end up the token list Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 10/64] xfs: xfs_iozero can return positive errno Greg Kroah-Hartman
2015-06-03 13:15 ` Luis Henriques
2015-06-03 11:42 ` [PATCH 3.14 11/64] lguest: fix out-by-one error in address checking Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 12/64] libceph: request a new osdmap if lingering request maps to no osd Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 13/64] xen/events: dont bind non-percpu VIRQs with percpu chip Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 14/64] hwmon: (ntc_thermistor) Ensure iio channel is of type IIO_VOLTAGE Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 15/64] hwmon: (nct6775) Add missing sysfs attribute initialization Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 16/64] lib: Fix strnlen_user() to not touch memory after specified maximum Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 17/64] d_walk() might skip too much Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 18/64] ALSA: hda - Add Conexant codecs CX20721, CX20722, CX20723 and CX20724 Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 19/64] ALSA: hda - Add headphone quirk for Lifebook E752 Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 21/64] ASoC: mc13783: Fix wrong mask value used in mc13xxx_reg_rmw() calls Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 22/64] ASoC: uda1380: Avoid accessing i2c bus when codec is disabled Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 23/64] ASoC: wm8960: fix "RINPUT3" audio route error Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 24/64] ASoC: wm8994: correct BCLK DIV 348 to 384 Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 26/64] target/pscsi: Dont leak scsi_host if hba is VIRTUAL_HOST Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 27/64] xhci: fix isoc endpoint dequeue from advancing too far on transaction error Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 28/64] xhci: Solve full event ring by increasing TRBS_PER_SEGMENT to 256 Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 29/64] xhci: gracefully handle xhci_irq dead device Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 30/64] USB: visor: Match I330 phone more precisely Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 31/64] USB: pl2303: Remove support for Samsung I330 Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 32/64] USB: cp210x: add ID for KCF Technologies PRN device Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 33/64] usb-storage: Add NO_WP_DETECT quirk for Lacie 059f:0651 devices Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 34/64] usb: gadget: configfs: Fix interfaces array NULL-termination Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 35/64] powerpc: Align TOC to 256 bytes Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 36/64] mmc: atmel-mci: fix bad variable type for clkdiv Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 37/64] tty/n_gsm.c: fix a memory leak when gsmtty is removed Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 38/64] ext4: fix NULL pointer dereference when journal restart fails Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 39/64] ext4: check for zero length extent explicitly Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 40/64] jbd2: fix r_count overflows leading to buffer overflow in journal recovery Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 41/64] libata: Add helper to determine when PHY events should be ignored Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 42/64] libata: Ignore spurious PHY event on LPM policy change Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 43/64] rt2x00: add new rt2800usb device DWA 130 Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 44/64] gpio: gpio-kempld: Fix get_direction return value Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 45/64] crypto: s390/ghash - Fix incorrect ghash icv buffer handling Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 46/64] mac80211: move WEP tailroom size check Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 48/64] ARM: fix missing syscall trace exit Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 49/64] tools/vm: fix page-flags build Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 50/64] mm, numa: really disable NUMA balancing by default on single node machines Greg Kroah-Hartman
2015-06-03 11:43 ` Greg Kroah-Hartman [this message]
2015-06-03 11:43 ` [PATCH 3.14 52/64] thermal: step_wise: Revert optimization Greg Kroah-Hartman
2015-06-12 11:58 ` Luis Henriques
2015-06-03 11:43 ` [PATCH 3.14 53/64] md/raid5: dont record new size if resize_stripes fails Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 54/64] md/raid0: fix restore to sector variable in raid0_make_request Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 55/64] rtlwifi: rtl8192cu: Fix kernel deadlock Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 56/64] Input: elantech - fix semi-mt protocol for v3 HW Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 57/64] storvsc: Set the SRB flags correctly when no data transfer is needed Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 58/64] sd: Disable support for 256 byte/sector disks Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 59/64] ACPI / init: Fix the ordering of acpi_reserve_resources() Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 60/64] drm/radeon: add new bonaire pci id Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 63/64] vfs: read file_handle only once in handle_to_path Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 64/64] fs/binfmt_elf.c:load_elf_binary(): return -EINVAL on zero-length mappings Greg Kroah-Hartman
2015-06-03 16:52 ` [PATCH 3.14 00/64] 3.14.44-stable review Shuah Khan
2015-06-03 18:15 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150603063930.671964427@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=bfields@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=simo@redhat.com \
--cc=smayhew@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox