diff options
| author | Jeffrey Altman <jaltman@auristor.com> | 2026-06-09 15:09:05 +0100 |
|---|---|---|
| committer | Jakub Kicinski <kuba@kernel.org> | 2026-06-12 16:48:54 -0700 |
| commit | 16c8ae9735c5bd7e54dd7478d6348e0fc860842d (patch) | |
| tree | 671f2cbc3d46a1a1012462c66a6fa1a052730304 /include/linux/timerqueue_types.h | |
| parent | 86c51f0f23136ea5ef5541f607287e07150cd23f (diff) | |
rxrpc: rxrpc_verify_data ensure rx_dec_buffer alloc
rxrpc_recvmsg_data() calls rxrpc_verify_data() whenever the
rxrpc_call.rx_dec_buffer is unallocated and assumes that upon
successful return that rx_dec_buffer must be allocated.
However, rxrpc_verify_data() does not request an allocation if
the rxrpc_skb_priv.len is zero.
In addition, failure to allocate rx_dec_buffer will result in a
call to skb_copy_bits() with a NULL destination which can
trigger a NULL pointer dereference.
To prevent these issues rxrpc_verify_data() is modified to
always attempt to allocate the rxrpc_call.rx_dec_buffer if it
is NULL.
This issue was identified with assistance of a private
sashiko instance.
Fixes: d2bc90cf6c75cb ("rxrpc: Fix DATA decrypt vs splice() by copying data to buffer in recvmsg")
Reported-by: Simon Horman <simon.horman@redhat.com>
Signed-off-by: Jeffrey Altman <jaltman@auristor.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Jiayuan Chen <jiayuan.chen@linux.dev>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: linux-afs@lists.infradead.org
cc: stable@kernel.org
Link: https://patch.msgid.link/20260609140911.838677-2-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'include/linux/timerqueue_types.h')
0 files changed, 0 insertions, 0 deletions