ceph: fix length validation in parse_reply_info()
"len" is read from network and thus needs validation. Otherwise, given a bogus "len" value, p+len could be an out-of-bounds pointer, which is used in further parsing. Signed-off-by: Xi Wang <xi.wang@gmail.com> Signed-off-by: Sage Weil <sage@newdream.net>
This commit is contained in:
parent
ab434b60ab
commit
32852a81bc
|
@ -262,6 +262,7 @@ static int parse_reply_info(struct ceph_msg *msg,
|
||||||
/* trace */
|
/* trace */
|
||||||
ceph_decode_32_safe(&p, end, len, bad);
|
ceph_decode_32_safe(&p, end, len, bad);
|
||||||
if (len > 0) {
|
if (len > 0) {
|
||||||
|
ceph_decode_need(&p, end, len, bad);
|
||||||
err = parse_reply_info_trace(&p, p+len, info, features);
|
err = parse_reply_info_trace(&p, p+len, info, features);
|
||||||
if (err < 0)
|
if (err < 0)
|
||||||
goto out_bad;
|
goto out_bad;
|
||||||
|
@ -270,6 +271,7 @@ static int parse_reply_info(struct ceph_msg *msg,
|
||||||
/* extra */
|
/* extra */
|
||||||
ceph_decode_32_safe(&p, end, len, bad);
|
ceph_decode_32_safe(&p, end, len, bad);
|
||||||
if (len > 0) {
|
if (len > 0) {
|
||||||
|
ceph_decode_need(&p, end, len, bad);
|
||||||
err = parse_reply_info_extra(&p, p+len, info, features);
|
err = parse_reply_info_extra(&p, p+len, info, features);
|
||||||
if (err < 0)
|
if (err < 0)
|
||||||
goto out_bad;
|
goto out_bad;
|
||||||
|
|
Loading…
Reference in New Issue