提交 130f52f2 编写于 作者: I Ilya Dryomov

libceph: check authorizer reply/challenge length before reading

Avoid scribbling over memory if the received reply/challenge is larger
than the buffer supplied with the authorizer.
Signed-off-by: NIlya Dryomov <idryomov@gmail.com>
Reviewed-by: NSage Weil <sage@redhat.com>
上级 cc255c76
...@@ -1782,6 +1782,13 @@ static int read_partial_connect(struct ceph_connection *con) ...@@ -1782,6 +1782,13 @@ static int read_partial_connect(struct ceph_connection *con)
if (con->auth) { if (con->auth) {
size = le32_to_cpu(con->in_reply.authorizer_len); size = le32_to_cpu(con->in_reply.authorizer_len);
if (size > con->auth->authorizer_reply_buf_len) {
pr_err("authorizer reply too big: %d > %zu\n", size,
con->auth->authorizer_reply_buf_len);
ret = -EINVAL;
goto out;
}
end += size; end += size;
ret = read_partial(con, end, size, ret = read_partial(con, end, size,
con->auth->authorizer_reply_buf); con->auth->authorizer_reply_buf);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册