public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed
From: David Howells <dhowells@redhat.com>
To: netdev@vger.kernel.org
Cc: David Howells <dhowells@redhat.com>,
	Marc Dionne <marc.dionne@auristor.com>,
	Jakub Kicinski <kuba@kernel.org>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Paolo Abeni <pabeni@redhat.com>, Simon Horman <horms@kernel.org>,
	Anderson Nascimento <anderson@allelesecurity.com>,
	linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org
Subject: [PATCH net v2 0/6] rxrpc: Miscellaneous fixes
Date: Wed, 22 Apr 2026 17:14:29 +0100	[thread overview]
Message-ID: <20260422161438.2593376-1-dhowells@redhat.com> (raw)

Here are some fixes for rxrpc, as found by Sashiko[1]:

 (1) Fix leaks in rxkad_verify_response().

 (2) Fix handling of rxkad-encrypted packets with crypto-misaligned
     lengths.

 (3) Fix problem with unsharing DATA packets potentially causing a crash in
     the caller.

 (4) Fix lack of unsharing of RESPONSE packets.

 (5) Fix integer overflow in RxGK ticket length check.

 (6) Fix missing length check in RxKAD tickets.

David

The patches can be found here also:

	http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=rxrpc-fixes

Changes
=======
ver #2)
- Use of __free() constructs in networking code is disallowed, so rework
  the rxkad_verify_response() patch to just clean everything up at the end
  and cope with NULL pointers.
- Reworked the unsharing fix:
  - Used skb_cloned() and skb_copy() directly rather than skb_unshare().
    The problem with skb_unshare() is that it kills the source skbuff if it
    can't copy, which then has to be propagated up the call chain.  Even
    so, the code still had an bug from this[1].
  - Split into two patches, one for DATA and one for RESPONSE packets.
  - Do the DATA unshare a lot further along.
- Imported a patch to add a length check on RxKAD tickets.

Link: https://sashiko.dev/#/patchset/20260408121252.2249051-1-dhowells%40redhat.com [1]

Anderson Nascimento (1):
  rxrpc: Fix missing validation of ticket length in non-XDR key
    preparsing

David Howells (5):
  rxrpc: Fix memory leaks in rxkad_verify_response()
  rxrpc: Fix rxkad crypto unalignment handling
  rxrpc: Fix potential UAF after skb_unshare() failure
  rxrpc: Fix conn-level packet handling to unshare RESPONSE packets
  rxgk: Fix potential integer overflow in length check

 include/trace/events/rxrpc.h |   5 +-
 net/rxrpc/ar-internal.h      |   1 -
 net/rxrpc/call_event.c       |  19 +++++-
 net/rxrpc/conn_event.c       |  29 ++++++++-
 net/rxrpc/io_thread.c        |  24 +-------
 net/rxrpc/key.c              |   4 ++
 net/rxrpc/rxgk_app.c         |   2 +-
 net/rxrpc/rxgk_common.h      |   1 +
 net/rxrpc/rxkad.c            | 112 +++++++++++++++--------------------
 net/rxrpc/skbuff.c           |   9 ---
 10 files changed, 106 insertions(+), 100 deletions(-)


             reply	other threads:[~2026-04-22 16:14 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-22 16:14 David Howells [this message]
2026-04-22 16:14 ` [PATCH net v2 1/6] rxrpc: Fix memory leaks in rxkad_verify_response() David Howells
2026-04-22 16:14 ` [PATCH net v2 2/6] rxrpc: Fix rxkad crypto unalignment handling David Howells
2026-04-22 16:14 ` [PATCH net v2 3/6] rxrpc: Fix potential UAF after skb_unshare() failure David Howells
2026-04-22 16:14 ` [PATCH net v2 4/6] rxrpc: Fix conn-level packet handling to unshare RESPONSE packets David Howells
2026-04-22 16:14 ` [PATCH net v2 5/6] rxgk: Fix potential integer overflow in length check David Howells
2026-04-22 16:14 ` [PATCH net v2 6/6] rxrpc: Fix missing validation of ticket length in non-XDR key preparsing David Howells

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260422161438.2593376-1-dhowells@redhat.com \
    --to=dhowells@redhat.com \
    --cc=anderson@allelesecurity.com \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=horms@kernel.org \
    --cc=kuba@kernel.org \
    --cc=linux-afs@lists.infradead.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=marc.dionne@auristor.com \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox