Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 76aa542f authored by Xi Wang's avatar Xi Wang Committed by Alex Elder
Browse files

ceph: fix bounds check in ceph_decode_need and ceph_encode_need 



Given a large n, the bounds check (*p + n > end) can be bypassed due to
pointer wraparound.  A safer check is (n > end - *p).

[elder@dreamhost.com: inverted test and renamed ceph_has_room()]

Signed-off-by: default avatarXi Wang <xi.wang@gmail.com>
Reviewed-by: default avatarAlex Elder <elder@dreamhost.com>
parent 065a68f9

include/linux/ceph/decode.h

+7 −2
Original line number Diff line number Diff line
@@ -45,9 +45,14 @@ static inline void ceph_decode_copy(void **p, void *pv, size_t n) 
/*

 * bounds check input.

 */

static inline int ceph_has_room(void **p, void *end, size_t n)

{

	return end >= *p && n <= end - *p;

}



#define ceph_decode_need(p, end, n, bad)		\

	do {						\

		if (unlikely(*(p) + (n) > (end))) 	\

		if (!likely(ceph_has_room(p, end, n)))	\

			goto bad;			\

	} while (0)
@@ -166,7 +171,7 @@ static inline void ceph_encode_string(void **p, void *end, 


#define ceph_encode_need(p, end, n, bad)		\

	do {						\

		if (unlikely(*(p) + (n) > (end))) 	\

		if (!likely(ceph_has_room(p, end, n)))	\

			goto bad;			\

	} while (0)