On Sat, 14 Jan 2012, Xi Wang wrote:
> "len" is read from network and thus needs validation. Otherwise, given
> a bogus "len" value, p+len could be an out-of-bounds pointer, which is
> used in further parsing.
>
> Signed-off-by: Xi Wang <xi.wang@xxxxxxxxx>
Applied. Sorry I missed this the first time around!
sage
> ---
> fs/ceph/mds_client.c | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
> index 23ab6a3..3cc9b0b 100644
> --- a/fs/ceph/mds_client.c
> +++ b/fs/ceph/mds_client.c
> @@ -262,6 +262,7 @@ static int parse_reply_info(struct ceph_msg *msg,
> /* trace */
> ceph_decode_32_safe(&p, end, len, bad);
> if (len > 0) {
> + ceph_decode_need(&p, end, len, bad);
> err = parse_reply_info_trace(&p, p+len, info, features);
> if (err < 0)
> goto out_bad;
> @@ -270,6 +271,7 @@ static int parse_reply_info(struct ceph_msg *msg,
> /* extra */
> ceph_decode_32_safe(&p, end, len, bad);
> if (len > 0) {
> + ceph_decode_need(&p, end, len, bad);
> err = parse_reply_info_extra(&p, p+len, info, features);
> if (err < 0)
> goto out_bad;
> --
> 1.7.5.4
>
> --
> To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
>
--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
