libceph: fix overflow in osdmap_apply_incremental()
On 32-bit systems, a large `pglen' would overflow `pglen*sizeof(u32)' and bypass the check ceph_decode_need(p, end, pglen*sizeof(u32), bad). It would also overflow the subsequent kmalloc() size, leading to out-of-bounds write. Signed-off-by: NXi Wang <xi.wang@gmail.com> Reviewed-by: NAlex Elder <elder@inktank.com>
Showing
想要评论请 注册 或 登录