1. Patchew
  2. linux
  3. View series

[PATCH net] rxrpc: Fix untrusted unsigned subtract

David Howells posted 1 patch 2 weeks, 6 days ago 
net/rxrpc/rxgk_app.c |   19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
[PATCH net] rxrpc: Fix untrusted unsigned subtract
Posted by David Howells 2 weeks, 6 days ago 
Fix the following Smatch Smatch static checker warning:

   net/rxrpc/rxgk_app.c:65 rxgk_yfs_decode_ticket()
   warn: untrusted unsigned subtract. 'ticket_len - 10 * 4'

by prechecking the length of what we're trying to extract in two places in
the token and decoding for a response packet.

Also use sizeof() on the struct we're extracting rather specifying the size
numerically to be consistent with the other related statements.

Fixes: 9d1d2b59341f ("rxrpc: rxgk: Implement the yfs-rxgk security class (GSSAPI)")
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Closes: https://lists.infradead.org/pipermail/linux-afs/2025-September/010135.html
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Jakub Kicinski <kuba@kernel.org>
cc: "David S. Miller" <davem@davemloft.net>
cc: Eric Dumazet <edumazet@google.com>
cc: Paolo Abeni <pabeni@redhat.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: netdev@vger.kernel.org
---
 net/rxrpc/rxgk_app.c |   19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/net/rxrpc/rxgk_app.c b/net/rxrpc/rxgk_app.c
index df684b5a8531..30275cb5ba3e 100644
--- a/net/rxrpc/rxgk_app.c
+++ b/net/rxrpc/rxgk_app.c
@@ -54,6 +54,10 @@ int rxgk_yfs_decode_ticket(struct rxrpc_connection *conn, struct sk_buff *skb,
 
 	_enter("");
 
+	if (ticket_len < 10 * sizeof(__be32))
+		return rxrpc_abort_conn(conn, skb, RXGK_INCONSISTENCY, -EPROTO,
+					rxgk_abort_resp_short_yfs_tkt);
+
 	/* Get the session key length */
 	ret = skb_copy_bits(skb, ticket_offset, tmp, sizeof(tmp));
 	if (ret < 0)
@@ -195,22 +199,23 @@ int rxgk_extract_token(struct rxrpc_connection *conn, struct sk_buff *skb,
 		__be32 token_len;
 	} container;
 
+	if (token_len < sizeof(container))
+		goto short_packet;
+
 	/* Decode the RXGK_TokenContainer object.  This tells us which server
 	 * key we should be using.  We can then fetch the key, get the secret
 	 * and set up the crypto to extract the token.
 	 */
 	if (skb_copy_bits(skb, token_offset, &container, sizeof(container)) < 0)
-		return rxrpc_abort_conn(conn, skb, RXGK_PACKETSHORT, -EPROTO,
-					rxgk_abort_resp_tok_short);
+		goto short_packet;
 
 	kvno		= ntohl(container.kvno);
 	enctype		= ntohl(container.enctype);
 	ticket_len	= ntohl(container.token_len);
 	ticket_offset	= token_offset + sizeof(container);
 
-	if (xdr_round_up(ticket_len) > token_len - 3 * 4)
-		return rxrpc_abort_conn(conn, skb, RXGK_PACKETSHORT, -EPROTO,
-					rxgk_abort_resp_tok_short);
+	if (xdr_round_up(ticket_len) > token_len - sizeof(container))
+		goto short_packet;
 
 	_debug("KVNO %u", kvno);
 	_debug("ENC  %u", enctype);
@@ -285,4 +290,8 @@ int rxgk_extract_token(struct rxrpc_connection *conn, struct sk_buff *skb,
 	 * also come out this way if the ticket decryption fails.
 	 */
 	return ret;
+
+short_packet:
+	return rxrpc_abort_conn(conn, skb, RXGK_PACKETSHORT, -EPROTO,
+				rxgk_abort_resp_tok_short);
 }
Re: [PATCH net] rxrpc: Fix untrusted unsigned subtract
Posted by Simon Horman 2 weeks, 5 days ago 
On Fri, Sep 12, 2025 at 12:06:17AM +0100, David Howells wrote:
> Fix the following Smatch Smatch static checker warning:

nit: Smatch Smatch -> Smatch

> 
>    net/rxrpc/rxgk_app.c:65 rxgk_yfs_decode_ticket()
>    warn: untrusted unsigned subtract. 'ticket_len - 10 * 4'
> 
> by prechecking the length of what we're trying to extract in two places in
> the token and decoding for a response packet.
> 
> Also use sizeof() on the struct we're extracting rather specifying the size
> numerically to be consistent with the other related statements.
> 
> Fixes: 9d1d2b59341f ("rxrpc: rxgk: Implement the yfs-rxgk security class (GSSAPI)")
> Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
> Closes: https://lists.infradead.org/pipermail/linux-afs/2025-September/010135.html
> Signed-off-by: David Howells <dhowells@redhat.com>
> cc: Marc Dionne <marc.dionne@auristor.com>
> cc: Jakub Kicinski <kuba@kernel.org>
> cc: "David S. Miller" <davem@davemloft.net>
> cc: Eric Dumazet <edumazet@google.com>
> cc: Paolo Abeni <pabeni@redhat.com>
> cc: Simon Horman <horms@kernel.org>
> cc: linux-afs@lists.infradead.org
> cc: netdev@vger.kernel.org
> ---
>  net/rxrpc/rxgk_app.c |   19 ++++++++++++++-----
>  1 file changed, 14 insertions(+), 5 deletions(-)

Reviewed-by: Simon Horman <horms@kernel.org>
Re: [PATCH net] rxrpc: Fix untrusted unsigned subtract
Posted by David Howells 2 weeks, 5 days ago 
Simon Horman <horms@kernel.org> wrote:

> > Fix the following Smatch Smatch static checker warning:
> 
> nit: Smatch Smatch -> Smatch

Yeah.  Can that be fixed up at time of application?

David
Re: [PATCH net] rxrpc: Fix untrusted unsigned subtract
Posted by Jakub Kicinski 2 weeks, 3 days ago 
On Fri, 12 Sep 2025 20:43:58 +0100 David Howells wrote:
> Simon Horman <horms@kernel.org> wrote:
> 
> > > Fix the following Smatch Smatch static checker warning:  
> > 
> > nit: Smatch Smatch -> Smatch  
> 
> Yeah.  Can that be fixed up at time of application?

Done!

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.