Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e4bad1bc authored by Philipp Reisner's avatar Philipp Reisner
Browse files

drbd: Ensure that data_size is not 0 before using data_size-1 as index 



This could be exploited by a peer which runs modified code.

Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarPhilipp Reisner <philipp.reisner@linbit.com>
Signed-off-by: default avatarLars Ellenberg <lars.ellenberg@linbit.com>
parent a1096a6e

drivers/block/drbd/drbd_receiver.c

+4 −4
Original line number Diff line number Diff line
@@ -3344,9 +3344,9 @@ static int receive_SyncParam(struct drbd_tconn *tconn, struct packet_info *pi) 


	if (apv >= 88) {

		if (apv == 88) {

			if (data_size > SHARED_SECRET_MAX) {

				dev_err(DEV, "verify-alg too long, "

				    "peer wants %u, accepting only %u byte\n",

			if (data_size > SHARED_SECRET_MAX || data_size == 0) {

				dev_err(DEV, "verify-alg of wrong size, "

					"peer wants %u, accepting only up to %u byte\n",

					data_size, SHARED_SECRET_MAX);

				err = -EIO;

				goto reconnect;