aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorXi Wang <xi.wang@gmail.com>2012-04-20 16:49:44 -0400
committerAlex Elder <elder@dreamhost.com>2012-05-14 13:12:27 -0400
commit76aa542fb90e3e91edb1146d10ca7cf2cae8e7e9 (patch)
treed01a137e60126d140790c64f1a3994c62792b61e /include
parent065a68f9167e20f321a62d044cb2c3024393d455 (diff)
ceph: fix bounds check in ceph_decode_need and ceph_encode_need
Given a large n, the bounds check (*p + n > end) can be bypassed due to pointer wraparound. A safer check is (n > end - *p). [elder@dreamhost.com: inverted test and renamed ceph_has_room()] Signed-off-by: Xi Wang <xi.wang@gmail.com> Reviewed-by: Alex Elder <elder@dreamhost.com>
Diffstat (limited to 'include')
-rw-r--r--include/linux/ceph/decode.h9
1 files changed, 7 insertions, 2 deletions
diff --git a/include/linux/ceph/decode.h b/include/linux/ceph/decode.h
index c5b6939fb32a..ecf324eb2c9a 100644
--- a/include/linux/ceph/decode.h
+++ b/include/linux/ceph/decode.h
@@ -45,9 +45,14 @@ static inline void ceph_decode_copy(void **p, void *pv, size_t n)
45/* 45/*
46 * bounds check input. 46 * bounds check input.
47 */ 47 */
48static inline int ceph_has_room(void **p, void *end, size_t n)
49{
50 return end >= *p && n <= end - *p;
51}
52
48#define ceph_decode_need(p, end, n, bad) \ 53#define ceph_decode_need(p, end, n, bad) \
49 do { \ 54 do { \
50 if (unlikely(*(p) + (n) > (end))) \ 55 if (!likely(ceph_has_room(p, end, n))) \
51 goto bad; \ 56 goto bad; \
52 } while (0) 57 } while (0)
53 58
@@ -166,7 +171,7 @@ static inline void ceph_encode_string(void **p, void *end,
166 171
167#define ceph_encode_need(p, end, n, bad) \ 172#define ceph_encode_need(p, end, n, bad) \
168 do { \ 173 do { \
169 if (unlikely(*(p) + (n) > (end))) \ 174 if (!likely(ceph_has_room(p, end, n))) \
170 goto bad; \ 175 goto bad; \
171 } while (0) 176 } while (0)
172 177