summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorIlya Dryomov <idryomov@gmail.com>2017-05-19 12:21:56 +0200
committerIlya Dryomov <idryomov@gmail.com>2017-05-23 20:32:25 +0200
commitd18a1247c4070390fc0c2d83d89a72afe921882e (patch)
treeff53595692f3e7d62dca8ca42a9918ffde10fab1
parentf3b4e55ded9b3c52831a7d2ab9e511293c99fc11 (diff)
downloadlinux-d18a1247c4070390fc0c2d83d89a72afe921882e.tar.gz
linux-d18a1247c4070390fc0c2d83d89a72afe921882e.tar.bz2
linux-d18a1247c4070390fc0c2d83d89a72afe921882e.zip
libceph: validate blob_struct_v in process_one_ticket()
None of these are validated in userspace, but since we do validate reply_struct_v in ceph_x_proc_ticket_reply(), tkt_struct_v (first) and CephXServiceTicket struct_v (second) in process_one_ticket(), validate CephXTicketBlob struct_v as well. Signed-off-by: Ilya Dryomov <idryomov@gmail.com> Reviewed-by: Alex Elder <elder@linaro.org>
-rw-r--r--net/ceph/auth_x.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/net/ceph/auth_x.c b/net/ceph/auth_x.c
index 2034fb926670..d0126df33f1f 100644
--- a/net/ceph/auth_x.c
+++ b/net/ceph/auth_x.c
@@ -215,6 +215,9 @@ static int process_one_ticket(struct ceph_auth_client *ac,
dout(" ticket blob is %d bytes\n", dlen);
ceph_decode_need(ptp, tpend, 1 + sizeof(u64), bad);
blob_struct_v = ceph_decode_8(ptp);
+ if (blob_struct_v != 1)
+ goto bad;
+
new_secret_id = ceph_decode_64(ptp);
ret = ceph_decode_buffer(&new_ticket_blob, ptp, tpend);
if (ret)