diff options
| author |   Ilya Dryomov <idryomov@gmail.com> | 2018-07-27 19:40:30 +0200 |
|---|---|---|
| committer | Ilya Dryomov <idryomov@gmail.com> | 2018-08-02 21:33:26 +0200 |
| commit | 130f52f2b203aa0aec179341916ffb2e905f3afd (patch) | |
| tree | bff0676cab201746527089611ead79b1948d1ff5 /net/ceph | |
| parent | libceph: implement CEPHX_V2 calculation mode (diff) | |
| download | linux-dev-130f52f2b203aa0aec179341916ffb2e905f3afd.tar.xz linux-dev-130f52f2b203aa0aec179341916ffb2e905f3afd.zip | |
libceph: check authorizer reply/challenge length before reading
Avoid scribbling over memory if the received reply/challenge is larger
than the buffer supplied with the authorizer.
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Sage Weil <sage@redhat.com>
Diffstat (limited to 'net/ceph')
| -rw-r--r-- | net/ceph/messenger.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c index e915c8bce117..0a187196aeed 100644 --- a/net/ceph/messenger.c +++ b/net/ceph/messenger.c @@ -1782,6 +1782,13 @@ static int read_partial_connect(struct ceph_connection *con) if (con->auth) { size = le32_to_cpu(con->in_reply.authorizer_len); + if (size > con->auth->authorizer_reply_buf_len) { + pr_err("authorizer reply too big: %d > %zu\n", size, + con->auth->authorizer_reply_buf_len); + ret = -EINVAL; + goto out; + } + end += size; ret = read_partial(con, end, size, con->auth->authorizer_reply_buf); |