libceph: check authorizer reply/challenge length before reading
Avoid scribbling over memory if the received reply/challenge is larger than the buffer supplied with the authorizer. Signed-off-by: Ilya Dryomov <idryomov@gmail.com> Reviewed-by: Sage Weil <sage@redhat.com>
This commit is contained in:
parent
cc255c76c7
commit
130f52f2b2
|
@ -1782,6 +1782,13 @@ static int read_partial_connect(struct ceph_connection *con)
|
|||
|
||||
if (con->auth) {
|
||||
size = le32_to_cpu(con->in_reply.authorizer_len);
|
||||
if (size > con->auth->authorizer_reply_buf_len) {
|
||||
pr_err("authorizer reply too big: %d > %zu\n", size,
|
||||
con->auth->authorizer_reply_buf_len);
|
||||
ret = -EINVAL;
|
||||
goto out;
|
||||
}
|
||||
|
||||
end += size;
|
||||
ret = read_partial(con, end, size,
|
||||
con->auth->authorizer_reply_buf);
|
||||
|
|
Loading…
Reference in New Issue