libceph: check authorizer reply/challenge length before reading

Avoid scribbling over memory if the received reply/challenge is larger than the buffer supplied with the authorizer. Signed-off-by: Ilya Dryomov <idryomov@gmail.com> Reviewed-by: Sage Weil <sage@redhat.com>
author: Ilya Dryomov <idryomov@gmail.com> 2018-07-27 19:40:30 +0200
committer: Ilya Dryomov <idryomov@gmail.com> 2018-08-02 21:33:26 +0200
commit: 130f52f2b203aa0aec179341916ffb2e905f3afd (patch)
tree: bff0676cab201746527089611ead79b1948d1ff5 /net/ceph
parent: cc255c76c70f7a87d97939621eae04b600d9f4a1 (diff)
download: linux-130f52f2b203aa0aec179341916ffb2e905f3afd.tar.gz
linux-130f52f2b203aa0aec179341916ffb2e905f3afd.tar.bz2
linux-130f52f2b203aa0aec179341916ffb2e905f3afd.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
index e915c8bce117..0a187196aeed 100644
--- a/net/ceph/messenger.c
+++ b/net/ceph/messenger.c
@@ -1782,6 +1782,13 @@ static int read_partial_connect(struct ceph_connection *con)
 
 	if (con->auth) {
 		size = le32_to_cpu(con->in_reply.authorizer_len);
+		if (size > con->auth->authorizer_reply_buf_len) {
+			pr_err("authorizer reply too big: %d > %zu\n", size,
+			       con->auth->authorizer_reply_buf_len);
+			ret = -EINVAL;
+			goto out;
+		}
+
 		end += size;
 		ret = read_partial(con, end, size,
 				   con->auth->authorizer_reply_buf);
author	Ilya Dryomov <idryomov@gmail.com>	2018-07-27 19:40:30 +0200
committer	Ilya Dryomov <idryomov@gmail.com>	2018-08-02 21:33:26 +0200
commit	130f52f2b203aa0aec179341916ffb2e905f3afd (patch)
tree	bff0676cab201746527089611ead79b1948d1ff5 /net/ceph
parent	cc255c76c70f7a87d97939621eae04b600d9f4a1 (diff)
download	linux-130f52f2b203aa0aec179341916ffb2e905f3afd.tar.gz linux-130f52f2b203aa0aec179341916ffb2e905f3afd.tar.bz2 linux-130f52f2b203aa0aec179341916ffb2e905f3afd.zip