SUNRPC: Don't leak netobj memory when gss_read_proxy_verf() fails

commit da522b5fe1a5f8b7c20a0023e87b52a150e53bf5 upstream. Fixes: 030d794bf498 ("SUNRPC: Use gssproxy upcall for server RPCGSS authentication.") Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Cc: <stable@vger.kernel.org> Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Chuck Lever 2022-11-26 15:55:18 -0500
committer: Greg Kroah-Hartman 2023-01-04 11:29:02 +0100
commit: c9ded831e2552b9c3cab7e2591a190e94f9d29c0 (patch)
tree: 86e57a6d383f384384c10f29f0d3b00360ce182d /net
parent: e60fa800a32a693d672b1a091424d780278c4587 (diff)
1 files changed, 7 insertions, 2 deletions
diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
index bcd74dddbe2d..9a5db285d4ae 100644
--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -1162,18 +1162,23 @@ static int gss_read_proxy_verf(struct svc_rqst *rqstp,
 		return res;
 
 	inlen = svc_getnl(argv);
-	if (inlen > (argv->iov_len + rqstp->rq_arg.page_len))
+	if (inlen > (argv->iov_len + rqstp->rq_arg.page_len)) {
+		kfree(in_handle->data);
 		return SVC_DENIED;
+	}
 
 	pages = DIV_ROUND_UP(inlen, PAGE_SIZE);
 	in_token->pages = kcalloc(pages, sizeof(struct page *), GFP_KERNEL);
-	if (!in_token->pages)
+	if (!in_token->pages) {
+		kfree(in_handle->data);
 		return SVC_DENIED;
+	}
 	in_token->page_base = 0;
 	in_token->page_len = inlen;
 	for (i = 0; i < pages; i++) {
 		in_token->pages[i] = alloc_page(GFP_KERNEL);
 		if (!in_token->pages[i]) {
+			kfree(in_handle->data);
 			gss_free_in_token_pages(in_token);
 			return SVC_DENIED;
 		}
author	Chuck Lever	2022-11-26 15:55:18 -0500
committer	Greg Kroah-Hartman	2023-01-04 11:29:02 +0100
commit	c9ded831e2552b9c3cab7e2591a190e94f9d29c0 (patch)
tree	86e57a6d383f384384c10f29f0d3b00360ce182d /net
parent	e60fa800a32a693d672b1a091424d780278c4587 (diff)