tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
libceph: prevent potential out-of-bounds reads in handle_auth_done()
Perform an explicit bounds check on payload_len to avoid a possible
out-of-bounds access in the callout.
[ idryomov: changelog ]
Cc: stable@vger.kernel.org
Signed-off-by: ziming zhang <ezrakiez@gmail.com>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
authored by
ziming zhang
and committed by
Ilya Dryomov
818156ca
9ace4753
+2
+2
net/ceph/messenger_v2.c
+2
net/ceph/messenger_v2.c
···
2376
2376
2377
2377
ceph_decode_64_safe(&p, end, global_id, bad);
2378
2378
ceph_decode_32_safe(&p, end, con->v2.con_mode, bad);
2379
+
2379
2380
ceph_decode_32_safe(&p, end, payload_len, bad);
2381
+
ceph_decode_need(&p, end, payload_len, bad);
2380
2382
2381
2383
dout("%s con %p global_id %llu con_mode %d payload_len %d\n",
2382
2384
__func__, con, global_id, con->v2.con_mode, payload_len);