SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf

A zero length gss_token results in pages == 0 and in_token->pages[0] is NULL. The code unconditionally evaluates page_address(in_token->pages[0]) for the initial memcpy, which can dereference NULL even when the copy length is 0. Guard the first memcpy so it only runs when length > 0. Fixes: 5866efa8cbfb ("SUNRPC: Fix svcauth_gss_proxy_init()") Cc: stable@vger.kernel.org Signed-off-by: Joshua Rogers <linux@joshua.hu> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
author: Joshua Rogers <linux@joshua.hu> 2025-11-07 10:05:33 -0500
committer: Chuck Lever <chuck.lever@oracle.com> 2025-12-08 10:51:26 -0500
commit: d4b69a6186b215d2dc1ebcab965ed88e8d41768d (patch)
tree: 01f00c7fc99f4114596181f3582f297e855c901a
parent: df8c841dd92a7f262ad4fa649aa493b181e02812 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
index a8ec30759a18..e2f0df8cdaa6 100644
--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -1083,7 +1083,8 @@ static int gss_read_proxy_verf(struct svc_rqst *rqstp,
 	}
 
 	length = min_t(unsigned int, inlen, (char *)xdr->end - (char *)xdr->p);
-	memcpy(page_address(in_token->pages[0]), xdr->p, length);
+	if (length)
+		memcpy(page_address(in_token->pages[0]), xdr->p, length);
 	inlen -= length;
 
 	to_offs = length;
author	Joshua Rogers <linux@joshua.hu>	2025-11-07 10:05:33 -0500
committer	Chuck Lever <chuck.lever@oracle.com>	2025-12-08 10:51:26 -0500
commit	d4b69a6186b215d2dc1ebcab965ed88e8d41768d (patch)
tree	01f00c7fc99f4114596181f3582f297e855c901a
parent	df8c841dd92a7f262ad4fa649aa493b181e02812 (diff)