• X
    libceph: fix overflow in __decode_pool_names() · ad3b904c
    Xi Wang 提交于
    `len' is read from network and thus needs validation.  Otherwise a
    large `len' would cause out-of-bounds access via the memcpy() call.
    In addition, len = 0xffffffff would overflow the kmalloc() size,
    leading to out-of-bounds write.
    
    This patch adds a check of `len' via ceph_decode_need().  Also use
    kstrndup rather than kmalloc/memcpy.
    
    [elder@inktank.com: added -ENOMEM return for null kstrndup() result]
    Signed-off-by: NXi Wang <xi.wang@gmail.com>
    Reviewed-by: NAlex Elder <elder@inktank.com>
    ad3b904c
osdmap.c 26.2 KB