diff mbox series

[7/8] libceph: check authorizer reply/challenge length before reading

Message ID 20180801190350.857-8-idryomov@gmail.com (mailing list archive)
State New, archived
Headers show
Series libceph: support for cephx v2 | expand

Commit Message

Ilya Dryomov Aug. 1, 2018, 7:03 p.m. UTC 
Avoid scribbling over memory if the received reply/challenge is larger
than the buffer supplied with the authorizer.

Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
---
 net/ceph/messenger.c | 7 +++++++
 1 file changed, 7 insertions(+)
diff mbox series

Patch

diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
index e915c8bce117..0a187196aeed 100644
--- a/net/ceph/messenger.c
+++ b/net/ceph/messenger.c
@@ -1782,6 +1782,13 @@  static int read_partial_connect(struct ceph_connection *con)
 
 	if (con->auth) {
 		size = le32_to_cpu(con->in_reply.authorizer_len);
+		if (size > con->auth->authorizer_reply_buf_len) {
+			pr_err("authorizer reply too big: %d > %zu\n", size,
+			       con->auth->authorizer_reply_buf_len);
+			ret = -EINVAL;
+			goto out;
+		}
+
 		end += size;
 		ret = read_partial(con, end, size,
 				   con->auth->authorizer_reply_buf);