diff options
| author | Xi Wang <xi.wang@gmail.com> | 2012-01-14 22:20:59 -0500 |
|---|---|---|
| committer | Sage Weil <sage@newdream.net> | 2012-02-02 15:49:11 -0500 |
| commit | 32852a81bccd9e3d1953b894966393d1b546576d (patch) | |
| tree | 8c21ce9f1a1e6ecfbeafdcc8552b77b3587bca5b /fs | |
| parent | ab434b60ab07f8c44246b6fb0cddee436687a09a (diff) | |
ceph: fix length validation in parse_reply_info()
"len" is read from network and thus needs validation. Otherwise, given
a bogus "len" value, p+len could be an out-of-bounds pointer, which is
used in further parsing.
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Sage Weil <sage@newdream.net>
Diffstat (limited to 'fs')
| -rw-r--r-- | fs/ceph/mds_client.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c index 6203d805eb45..be1415fcaac8 100644 --- a/fs/ceph/mds_client.c +++ b/fs/ceph/mds_client.c | |||
| @@ -262,6 +262,7 @@ static int parse_reply_info(struct ceph_msg *msg, | |||
| 262 | /* trace */ | 262 | /* trace */ |
| 263 | ceph_decode_32_safe(&p, end, len, bad); | 263 | ceph_decode_32_safe(&p, end, len, bad); |
| 264 | if (len > 0) { | 264 | if (len > 0) { |
| 265 | ceph_decode_need(&p, end, len, bad); | ||
| 265 | err = parse_reply_info_trace(&p, p+len, info, features); | 266 | err = parse_reply_info_trace(&p, p+len, info, features); |
| 266 | if (err < 0) | 267 | if (err < 0) |
| 267 | goto out_bad; | 268 | goto out_bad; |
| @@ -270,6 +271,7 @@ static int parse_reply_info(struct ceph_msg *msg, | |||
| 270 | /* extra */ | 271 | /* extra */ |
| 271 | ceph_decode_32_safe(&p, end, len, bad); | 272 | ceph_decode_32_safe(&p, end, len, bad); |
| 272 | if (len > 0) { | 273 | if (len > 0) { |
| 274 | ceph_decode_need(&p, end, len, bad); | ||
| 273 | err = parse_reply_info_extra(&p, p+len, info, features); | 275 | err = parse_reply_info_extra(&p, p+len, info, features); |
| 274 | if (err < 0) | 276 | if (err < 0) |
| 275 | goto out_bad; | 277 | goto out_bad; |