hollalinux
/
linux-sg2042
mirror of https://github.com/sophgo/linux-riscv.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

ceph: fix length validation in parse_reply_info() 

"len" is read from network and thus needs validation.  Otherwise, given
a bogus "len" value, p+len could be an out-of-bounds pointer, which is
used in further parsing.

Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Sage Weil <sage@newdream.net>
This commit is contained in:
Xi Wang 2012-01-14 22:20:59 -05:00 committed by Sage Weil
parent ab434b60ab
commit 32852a81bc
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
fs/ceph/mds_client.c
View File

@ -262,6 +262,7 @@ static int parse_reply_info(struct ceph_msg *msg,
/* trace */ /* trace */
ceph_decode_32_safe(&p, end, len, bad); ceph_decode_32_safe(&p, end, len, bad);
if (len > 0) { if (len > 0) {
ceph_decode_need(&p, end, len, bad);
err = parse_reply_info_trace(&p, p+len, info, features); err = parse_reply_info_trace(&p, p+len, info, features);
if (err < 0) if (err < 0)
goto out_bad; goto out_bad;
@ -270,6 +271,7 @@ static int parse_reply_info(struct ceph_msg *msg,
/* extra */ /* extra */
ceph_decode_32_safe(&p, end, len, bad); ceph_decode_32_safe(&p, end, len, bad);
if (len > 0) { if (len > 0) {
ceph_decode_need(&p, end, len, bad);
err = parse_reply_info_extra(&p, p+len, info, features); err = parse_reply_info_extra(&p, p+len, info, features);
if (err < 0) if (err < 0)
goto out_bad; goto out_bad;