summaryrefslogtreecommitdiffstats
path: root/net/bluetooth
diff options
context:
space:
mode:
authorIlya Dryomov <idryomov@gmail.com>2023-07-10 20:39:29 +0200
committerIlya Dryomov <idryomov@gmail.com>2023-07-13 13:18:57 +0200
commita282a2f10539dce2aa619e71e1817570d557fc97 (patch)
tree1fed5166a21680b0e1b02f74a18579b78086bdf9 /net/bluetooth
parent06c2afb862f9da8dc5efa4b6076a0e48c3fbaaa5 (diff)
downloadlinux-stable-a282a2f10539dce2aa619e71e1817570d557fc97.tar.gz
linux-stable-a282a2f10539dce2aa619e71e1817570d557fc97.tar.bz2
linux-stable-a282a2f10539dce2aa619e71e1817570d557fc97.zip
libceph: harden msgr2.1 frame segment length checks
ceph_frame_desc::fd_lens is an int array. decode_preamble() thus effectively casts u32 -> int but the checks for segment lengths are written as if on unsigned values. While reading in HELLO or one of the AUTH frames (before authentication is completed), arithmetic in head_onwire_len() can get duped by negative ctrl_len and produce head_len which is less than CEPH_PREAMBLE_LEN but still positive. This would lead to a buffer overrun in prepare_read_control() as the preamble gets copied to the newly allocated buffer of size head_len. Cc: stable@vger.kernel.org Fixes: cd1a677cad99 ("libceph, ceph: implement msgr2.1 protocol (crc and secure modes)") Reported-by: Thelford Williams <thelford@google.com> Signed-off-by: Ilya Dryomov <idryomov@gmail.com> Reviewed-by: Xiubo Li <xiubli@redhat.com>
Diffstat (limited to 'net/bluetooth')
0 files changed, 0 insertions, 0 deletions