shinys000114/linux
1
0
Fork 0
mirror of https://github.com/hardkernel/linux.git synced 2026-06-04 18:19:28 +09:00
Code Issues Packages Projects Releases Wiki Activity

libceph: check authorizer reply/challenge length before reading

Browse Source 
commit 130f52f2b2 upstream.

Avoid scribbling over memory if the received reply/challenge is larger
than the buffer supplied with the authorizer.

Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Sage Weil <sage@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Ilya Dryomov
2018-07-27 19:40:30 +02:00
committed by Greg Kroah-Hartman
parent 14118df4e7
commit 0c5f2e8992
1 changed files with 7 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
net/ceph/messenger.c
View File

@@ -1754,6 +1754,13 @@ static int read_partial_connect(struct ceph_connection *con)
if (con->auth) {
size = le32_to_cpu(con->in_reply.authorizer_len);
if (size > con->auth->authorizer_reply_buf_len) {
pr_err("authorizer reply too big: %d > %zu\n", size,
con->auth->authorizer_reply_buf_len);
ret = -EINVAL;
goto out;
}
end += size;
ret = read_partial(con, end, size,
con->auth->authorizer_reply_buf);