SUNRPC: Fix loop termination condition in gss_free_in_token_pages()

commit 4a77c3dead97339478c7422eb07bf4bf63577008 upstream. The in_token->pages[] array is not NULL terminated. This results in the following KASAN splat: KASAN: maybe wild-memory-access in range [0x04a2013400000008-0x04a201340000000f] Fixes: bafa6b4d95d9 ("SUNRPC: Fix gss_free_in_token_pages()") Reviewed-by: Benjamin Coddington <bcodding@redhat.com> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Chuck Lever <chuck.lever@oracle.com> 2024-06-02 18:15:25 -0400
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2024-06-12 11:13:03 +0200
commit: af628d43a822b78ad8d4a58d8259f8bf8bc71115 (patch)
tree: 654f35a94c29bda5fabca4ff423b3960371708c9
parent: c775ffab3e53d591ca4f10a41f72d00fae38ae1b (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
index 708297f338752..cf30bd649e270 100644
--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -1079,7 +1079,7 @@ static int gss_read_proxy_verf(struct svc_rqst *rqstp,
 		goto out_denied_free;
 
 	pages = DIV_ROUND_UP(inlen, PAGE_SIZE);
-	in_token->pages = kcalloc(pages, sizeof(struct page *), GFP_KERNEL);
+	in_token->pages = kcalloc(pages + 1, sizeof(struct page *), GFP_KERNEL);
 	if (!in_token->pages)
 		goto out_denied_free;
 	in_token->page_base = 0;
author	Chuck Lever <chuck.lever@oracle.com>	2024-06-02 18:15:25 -0400
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2024-06-12 11:13:03 +0200
commit	af628d43a822b78ad8d4a58d8259f8bf8bc71115 (patch)
tree	654f35a94c29bda5fabca4ff423b3960371708c9
parent	c775ffab3e53d591ca4f10a41f72d00fae38ae1b (diff)