diff options
| author | Philipp Reisner <philipp.reisner@linbit.com> | 2012-03-28 04:17:32 -0400 |
|---|---|---|
| committer | Philipp Reisner <philipp.reisner@linbit.com> | 2012-05-09 09:16:56 -0400 |
| commit | 5de738272e38f7051c7a44c42631b71a0e2a1e80 (patch) | |
| tree | 8693bda089848c0fe3123b2ac1c46f9b89300d47 /drivers/block | |
| parent | 197296ffed71b7d5056d8618a07fec145b040303 (diff) | |
drbd: Ensure that data_size is not 0 before using data_size-1 as index
This could be exploited by a peer which runs modified code.
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Philipp Reisner <philipp.reisner@linbit.com>
Signed-off-by: Lars Ellenberg <lars.ellenberg@linbit.com>
Diffstat (limited to 'drivers/block')
| -rw-r--r-- | drivers/block/drbd/drbd_receiver.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c index 9db93ff11c02..017eeb745ed9 100644 --- a/drivers/block/drbd/drbd_receiver.c +++ b/drivers/block/drbd/drbd_receiver.c | |||
| @@ -2837,10 +2837,10 @@ static int receive_SyncParam(struct drbd_conf *mdev, enum drbd_packets cmd, unsi | |||
| 2837 | 2837 | ||
| 2838 | if (apv >= 88) { | 2838 | if (apv >= 88) { |
| 2839 | if (apv == 88) { | 2839 | if (apv == 88) { |
| 2840 | if (data_size > SHARED_SECRET_MAX) { | 2840 | if (data_size > SHARED_SECRET_MAX || data_size == 0) { |
| 2841 | dev_err(DEV, "verify-alg too long, " | 2841 | dev_err(DEV, "verify-alg of wrong size, " |
| 2842 | "peer wants %u, accepting only %u byte\n", | 2842 | "peer wants %u, accepting only up to %u byte\n", |
| 2843 | data_size, SHARED_SECRET_MAX); | 2843 | data_size, SHARED_SECRET_MAX); |
| 2844 | return false; | 2844 | return false; |
| 2845 | } | 2845 | } |
| 2846 | 2846 | ||