Tree - kernel/kernel-source - Pagure for openSUSE

kernel / kernel-source

Source
Stats

Files

Commit: a07f7ac44cacae01a70ddaee4b6440c9e8a59054

Blob Blame History Raw

From: Ilya Dryomov <idryomov@gmail.com>
Date: Fri, 27 Jul 2018 19:40:30 +0200
Subject: libceph: check authorizer reply/challenge length before reading
Git-commit: 130f52f2b203aa0aec179341916ffb2e905f3afd
Patch-mainline: v4.19-rc1
References: bsc#1096748

Avoid scribbling over memory if the received reply/challenge is larger
than the buffer supplied with the authorizer.

Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Sage Weil <sage@redhat.com>
Acked-by: Luis Henriques <lhenriques@suse.com>
---
 net/ceph/messenger.c |    7 +++++++
 1 file changed, 7 insertions(+)

--- a/net/ceph/messenger.c
+++ b/net/ceph/messenger.c
@@ -1748,6 +1748,13 @@ static int read_partial_connect(struct c
 
 	if (con->auth) {
 		size = le32_to_cpu(con->in_reply.authorizer_len);
+		if (size > con->auth->authorizer_reply_buf_len) {
+			pr_err("authorizer reply too big: %d > %zu\n", size,
+			       con->auth->authorizer_reply_buf_len);
+			ret = -EINVAL;
+			goto out;
+		}
+
 		end += size;
 		ret = read_partial(con, end, size,
 				   con->auth->authorizer_reply_buf);

kernel / kernel-source

Source Code

Files