Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 130f52f2 authored by Ilya Dryomov's avatar Ilya Dryomov
Browse files

libceph: check authorizer reply/challenge length before reading 



Avoid scribbling over memory if the received reply/challenge is larger
than the buffer supplied with the authorizer.

Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
Reviewed-by: default avatarSage Weil <sage@redhat.com>
parent cc255c76

net/ceph/messenger.c

+7 −0
Original line number Diff line number Diff line
@@ -1782,6 +1782,13 @@ static int read_partial_connect(struct ceph_connection *con) 


	if (con->auth) {

		size = le32_to_cpu(con->in_reply.authorizer_len);

		if (size > con->auth->authorizer_reply_buf_len) {

			pr_err("authorizer reply too big: %d > %zu\n", size,

			       con->auth->authorizer_reply_buf_len);

			ret = -EINVAL;

			goto out;

		}



		end += size;

		ret = read_partial(con, end, size,

				   con->auth->authorizer_reply_buf);