summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorXi Wang <xi.wang@gmail.com>2012-01-14 22:20:59 -0500
committerSage Weil <sage@newdream.net>2012-02-02 12:49:11 -0800
commit32852a81bccd9e3d1953b894966393d1b546576d (patch)
tree8c21ce9f1a1e6ecfbeafdcc8552b77b3587bca5b
parentab434b60ab07f8c44246b6fb0cddee436687a09a (diff)
downloadlinux-32852a81bccd9e3d1953b894966393d1b546576d.tar.gz
linux-32852a81bccd9e3d1953b894966393d1b546576d.tar.bz2
linux-32852a81bccd9e3d1953b894966393d1b546576d.zip
ceph: fix length validation in parse_reply_info()
"len" is read from network and thus needs validation. Otherwise, given a bogus "len" value, p+len could be an out-of-bounds pointer, which is used in further parsing. Signed-off-by: Xi Wang <xi.wang@gmail.com> Signed-off-by: Sage Weil <sage@newdream.net>
-rw-r--r--fs/ceph/mds_client.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
index 6203d805eb45..be1415fcaac8 100644
--- a/fs/ceph/mds_client.c
+++ b/fs/ceph/mds_client.c
@@ -262,6 +262,7 @@ static int parse_reply_info(struct ceph_msg *msg,
/* trace */
ceph_decode_32_safe(&p, end, len, bad);
if (len > 0) {
+ ceph_decode_need(&p, end, len, bad);
err = parse_reply_info_trace(&p, p+len, info, features);
if (err < 0)
goto out_bad;
@@ -270,6 +271,7 @@ static int parse_reply_info(struct ceph_msg *msg,
/* extra */
ceph_decode_32_safe(&p, end, len, bad);
if (len > 0) {
+ ceph_decode_need(&p, end, len, bad);
err = parse_reply_info_extra(&p, p+len, info, features);
if (err < 0)
goto out_bad;