svcrpc: fix gss-proxy NULL dereference in some error cases
authorJ. Bruce Fields <bfields@redhat.com>
Tue, 8 Oct 2013 19:33:53 +0000 (15:33 -0400)
committerJ. Bruce Fields <bfields@redhat.com>
Tue, 8 Oct 2013 19:56:15 +0000 (15:56 -0400)
We depend on the xdr decoder to set this pointer, but if we error out
before we decode this piece it could be left NULL.

I think this is probably tough to hit without a buggy gss-proxy.

Reported-by: Andi Kleen <andi@firstfloor.org>
Cc: Simo Sorce <simo@redhat.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
net/sunrpc/auth_gss/gss_rpc_upcall.c

index f1eb0d16666c2750b0001d923fabbd572f2cbe7d..458f85e9b0ba088575a72ef6dd6ff8d21484d290 100644 (file)
@@ -298,7 +298,8 @@ int gssp_accept_sec_context_upcall(struct net *net,
        if (res.context_handle) {
                data->out_handle = rctxh.exported_context_token;
                data->mech_oid.len = rctxh.mech.len;
-               memcpy(data->mech_oid.data, rctxh.mech.data,
+               if (rctxh.mech.data)
+                       memcpy(data->mech_oid.data, rctxh.mech.data,
                                                data->mech_oid.len);
                client_name = rctxh.src_name.display_name;
        }