* [PATCH] rxrpc: fix missing validation of ticket length in
@ 2026-04-22 0:32 Anderson Nascimento
2026-04-22 12:37 ` David Howells
0 siblings, 1 reply; 3+ messages in thread
From: Anderson Nascimento @ 2026-04-22 0:32 UTC (permalink / raw)
To: David Howells, Marc Dionne, David S. Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, Simon Horman, Steve Dickson
Cc: Anderson Nascimento, linux-afs, netdev, linux-kernel
In rxrpc_preparse(), there are two paths for parsing key payloads: the
XDR path (for large payloads) and the non-XDR path (for payloads <= 28
bytes). While the XDR path (rxrpc_preparse_xdr_rxkad()) correctly
validates the ticket length against AFSTOKEN_RK_TIX_MAX, the non-XDR
path fails to do so.
This allows an unprivileged user to provide a very large ticket length.
When this key is later read via rxrpc_read(), the total
token size (toksize) calculation results in a value that exceeds
AFSTOKEN_LENGTH_MAX, triggering a WARN_ON().
[ 2001.302904] WARNING: CPU: 2 PID: 2108 at net/rxrpc/key.c:778 rxrpc_read+0x109/0x5c0 [rxrpc]
Fix this by adding a check in the non-XDR parsing path of rxrpc_preparse()
to ensure the ticket length does not exceed AFSTOKEN_RK_TIX_MAX,
bringing it into parity with the XDR parsing logic.
Fixes: 8a7a3eb4ddbe ("KEYS: RxRPC: Use key preparsing")
Fixes: 84924aac08a4 ("rxrpc: Fix checker warning")
Reported-by: Anderson Nascimento <anderson@allelesecurity.com>
Signed-off-by: Anderson Nascimento <anderson@allelesecurity.com>
---
net/rxrpc/key.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c
index 6301d79ee35a..5ebb06d87cdd 100644
--- a/net/rxrpc/key.c
+++ b/net/rxrpc/key.c
@@ -502,6 +502,10 @@ static int rxrpc_preparse(struct key_preparsed_payload *prep)
if (v1->security_index != RXRPC_SECURITY_RXKAD)
goto error;
+ ret = -EKEYREJECTED;
+ if(v1->ticket_length > AFSTOKEN_RK_TIX_MAX)
+ goto error;
+
plen = sizeof(*token->kad) + v1->ticket_length;
prep->quotalen += plen + sizeof(*token);
--
2.53.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] rxrpc: fix missing validation of ticket length in
2026-04-22 0:32 [PATCH] rxrpc: fix missing validation of ticket length in Anderson Nascimento
@ 2026-04-22 12:37 ` David Howells
2026-04-22 12:52 ` Anderson Nascimento
0 siblings, 1 reply; 3+ messages in thread
From: David Howells @ 2026-04-22 12:37 UTC (permalink / raw)
To: Anderson Nascimento
Cc: dhowells, Marc Dionne, David S. Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, Simon Horman, Steve Dickson,
linux-afs, netdev, linux-kernel
> Subject: [PATCH] rxrpc: fix missing validation of ticket length in
...in rxrpc_preparse(), I presume?
David
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] rxrpc: fix missing validation of ticket length in
2026-04-22 12:37 ` David Howells
@ 2026-04-22 12:52 ` Anderson Nascimento
0 siblings, 0 replies; 3+ messages in thread
From: Anderson Nascimento @ 2026-04-22 12:52 UTC (permalink / raw)
To: David Howells
Cc: Marc Dionne, David S. Miller, Eric Dumazet, Jakub Kicinski,
Paolo Abeni, Simon Horman, Steve Dickson, linux-afs, netdev,
linux-kernel
On Wed, Apr 22, 2026 at 9:38 AM David Howells <dhowells@redhat.com> wrote:
>
> > Subject: [PATCH] rxrpc: fix missing validation of ticket length in
>
> ...in rxrpc_preparse(), I presume?
>
In fact it was "non-XDR key preparsing", but "in rxrpc_preparse()" also works.
> David
>
--
Anderson Nascimento
Allele Security Intelligence
https://www.allelesecurity.com
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-04-22 12:52 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-22 0:32 [PATCH] rxrpc: fix missing validation of ticket length in Anderson Nascimento
2026-04-22 12:37 ` David Howells
2026-04-22 12:52 ` Anderson Nascimento
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox