[PATCH RESEND] ceph: fix length validation in parse_reply_info()

From: Xi Wang
Date: Sat Jan 14 2012 - 22:26:27 EST

Next message: Alan Stern: "Re: x86/mce: machine check warning during poweroff"
Previous message: Linus Torvalds: "Re: [GIT] Security updates for 3.3: SELinux"
Next in thread: Sage Weil: "Re: [PATCH RESEND] ceph: fix length validation in parse_reply_info()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"len" is read from network and thus needs validation. Otherwise, given
a bogus "len" value, p+len could be an out-of-bounds pointer, which is
used in further parsing.

Signed-off-by: Xi Wang <xi.wang@xxxxxxxxx>
---
fs/ceph/mds_client.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
index 23ab6a3..3cc9b0b 100644
--- a/fs/ceph/mds_client.c
+++ b/fs/ceph/mds_client.c
@@ -262,6 +262,7 @@ static int parse_reply_info(struct ceph_msg *msg,
/* trace */
ceph_decode_32_safe(&p, end, len, bad);
if (len > 0) {
+ ceph_decode_need(&p, end, len, bad);
err = parse_reply_info_trace(&p, p+len, info, features);
if (err < 0)
goto out_bad;
@@ -270,6 +271,7 @@ static int parse_reply_info(struct ceph_msg *msg,
/* extra */
ceph_decode_32_safe(&p, end, len, bad);
if (len > 0) {
+ ceph_decode_need(&p, end, len, bad);
err = parse_reply_info_extra(&p, p+len, info, features);
if (err < 0)
goto out_bad;
--
1.7.5.4

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Alan Stern: "Re: x86/mce: machine check warning during poweroff"
Previous message: Linus Torvalds: "Re: [GIT] Security updates for 3.3: SELinux"
Next in thread: Sage Weil: "Re: [PATCH RESEND] ceph: fix length validation in parse_reply_info()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]