Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e9226d7c authored by Ilya Dryomov's avatar Ilya Dryomov
Browse files

libceph: eliminate unnecessary allocation in process_one_ticket() 



Commit c27a3e4d ("libceph: do not hard code max auth ticket len")
while fixing a buffer overlow tried to keep the same as much of the
surrounding code as possible and introduced an unnecessary kmalloc() in
the unencrypted ticket path.  It is likely to fail on huge tickets, so
get rid of it.

Signed-off-by: default avatarIlya Dryomov <idryomov@redhat.com>
Reviewed-by: default avatarSage Weil <sage@redhat.com>
parent a8d42056

net/ceph/auth_x.c

+10 −15
Original line number Diff line number Diff line
@@ -149,6 +149,7 @@ static int process_one_ticket(struct ceph_auth_client *ac, 
	struct ceph_crypto_key old_key;

	void *ticket_buf = NULL;

	void *tp, *tpend;

	void **ptp;

	struct ceph_timespec new_validity;

	struct ceph_crypto_key new_session_key;

	struct ceph_buffer *new_ticket_blob;
@@ -208,25 +209,19 @@ static int process_one_ticket(struct ceph_auth_client *ac, 
			goto out;

		}

		tp = ticket_buf;

		dlen = ceph_decode_32(&tp);

		ptp = &tp;

		tpend = *ptp + dlen;

	} else {

		/* unencrypted */

		ceph_decode_32_safe(p, end, dlen, bad);

		ticket_buf = kmalloc(dlen, GFP_NOFS);

		if (!ticket_buf) {

			ret = -ENOMEM;

			goto out;

		}

		tp = ticket_buf;

		ceph_decode_need(p, end, dlen, bad);

		ceph_decode_copy(p, ticket_buf, dlen);

		ptp = p;

		tpend = end;

	}

	tpend = tp + dlen;

	ceph_decode_32_safe(ptp, tpend, dlen, bad);

	dout(" ticket blob is %d bytes\n", dlen);

	ceph_decode_need(&tp, tpend, 1 + sizeof(u64), bad);

	blob_struct_v = ceph_decode_8(&tp);

	new_secret_id = ceph_decode_64(&tp);

	ret = ceph_decode_buffer(&new_ticket_blob, &tp, tpend);

	ceph_decode_need(ptp, tpend, 1 + sizeof(u64), bad);

	blob_struct_v = ceph_decode_8(ptp);

	new_secret_id = ceph_decode_64(ptp);

	ret = ceph_decode_buffer(&new_ticket_blob, ptp, tpend);

	if (ret)

		goto out;