From: David Howells <dhowells@redhat.com>
To: netdev@vger.kernel.org
Cc: David Howells <dhowells@redhat.com>,
Marc Dionne <marc.dionne@auristor.com>,
Jakub Kicinski <kuba@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>,
linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org,
Jeffrey Altman <jaltman@auristor.com>,
Simon Horman <horms@kernel.org>,
stable@kernel.org
Subject: [PATCH net v5 17/21] rxrpc: Fix integer overflow in rxgk_verify_response()
Date: Wed, 8 Apr 2026 13:12:45 +0100 [thread overview]
Message-ID: <20260408121252.2249051-18-dhowells@redhat.com> (raw)
In-Reply-To: <20260408121252.2249051-1-dhowells@redhat.com>
In rxgk_verify_response(), there's a potential integer overflow due to
rounding up token_len before checking it, thereby allowing the length check to
be bypassed.
Fix this by checking the unrounded value against len too (len is limited as
the response must fit in a single UDP packet).
Fixes: 9d1d2b59341f ("rxrpc: rxgk: Implement the yfs-rxgk security class (GSSAPI)")
Closes: https://sashiko.dev/#/patchset/20260401105614.1696001-10-dhowells@redhat.com
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Jeffrey Altman <jaltman@auristor.com>
cc: Eric Dumazet <edumazet@google.com>
cc: "David S. Miller" <davem@davemloft.net>
cc: Jakub Kicinski <kuba@kernel.org>
cc: Paolo Abeni <pabeni@redhat.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: netdev@vger.kernel.org
cc: stable@kernel.org
---
net/rxrpc/rxgk.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/rxrpc/rxgk.c b/net/rxrpc/rxgk.c
index 9e4a4ff28913..064c1531fc99 100644
--- a/net/rxrpc/rxgk.c
+++ b/net/rxrpc/rxgk.c
@@ -1209,7 +1209,8 @@ static int rxgk_verify_response(struct rxrpc_connection *conn,
token_offset = offset;
token_len = ntohl(rhdr.token_len);
- if (xdr_round_up(token_len) + sizeof(__be32) > len)
+ if (token_len > len ||
+ xdr_round_up(token_len) + sizeof(__be32) > len)
goto short_packet;
trace_rxrpc_rx_response(conn, sp->hdr.serial, 0, sp->hdr.cksum, token_len);
next prev parent reply other threads:[~2026-04-08 12:14 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-08 12:12 [PATCH net v5 00/21] rxrpc: Miscellaneous fixes David Howells
2026-04-08 12:12 ` [PATCH net v5 01/21] rxrpc: Fix key quota calculation for multitoken keys David Howells
2026-04-08 12:12 ` [PATCH net v5 02/21] rxrpc: Fix key parsing memleak David Howells
2026-04-08 12:12 ` [PATCH net v5 03/21] rxrpc: Fix anonymous key handling David Howells
2026-04-08 12:12 ` [PATCH net v5 04/21] rxrpc: Fix call removal to use RCU safe deletion David Howells
2026-04-08 12:12 ` [PATCH net v5 05/21] rxrpc: Fix RxGK token loading to check bounds David Howells
2026-04-08 12:12 ` [PATCH net v5 06/21] rxrpc: Fix use of wrong skb when comparing queued RESP challenge serial David Howells
2026-04-08 12:12 ` [PATCH net v5 07/21] rxrpc: Fix rack timer warning to report unexpected mode David Howells
2026-04-08 12:12 ` [PATCH net v5 08/21] rxrpc: Fix key reference count leak from call->key David Howells
2026-04-08 12:12 ` [PATCH net v5 09/21] rxrpc: Fix to request an ack if window is limited David Howells
2026-04-08 12:12 ` [PATCH net v5 10/21] rxrpc: Only put the call ref if one was acquired David Howells
2026-04-08 12:12 ` [PATCH net v5 11/21] rxrpc: reject undecryptable rxkad response tickets David Howells
2026-04-08 12:12 ` [PATCH net v5 12/21] rxrpc: fix RESPONSE authenticator parser OOB read David Howells
2026-04-08 12:12 ` [PATCH net v5 13/21] rxrpc: fix oversized RESPONSE authenticator length check David Howells
2026-04-08 12:12 ` [PATCH net v5 14/21] rxrpc: fix reference count leak in rxrpc_server_keyring() David Howells
2026-04-08 12:12 ` [PATCH net v5 15/21] rxrpc: Fix key/keyring checks in setsockopt(RXRPC_SECURITY_KEY/KEYRING) David Howells
2026-04-08 12:12 ` [PATCH net v5 16/21] rxrpc: Fix missing error checks for rxkad encryption/decryption failure David Howells
2026-04-08 12:12 ` David Howells [this message]
2026-04-08 12:12 ` [PATCH net v5 18/21] rxrpc: Fix leak of rxgk context in rxgk_verify_response() David Howells
2026-04-08 12:12 ` [PATCH net v5 19/21] rxrpc: Fix buffer overread in rxgk_do_verify_authenticator() David Howells
2026-04-08 12:12 ` [PATCH net v5 20/21] rxrpc: only handle RESPONSE during service challenge David Howells
2026-04-08 12:12 ` [PATCH net v5 21/21] rxrpc: proc: size address buffers for %pISpc output David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260408121252.2249051-18-dhowells@redhat.com \
--to=dhowells@redhat.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=jaltman@auristor.com \
--cc=kuba@kernel.org \
--cc=linux-afs@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=marc.dionne@auristor.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=stable@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox