On 05/23/2017 11:33 AM, Ilya Dryomov wrote:
> None of these are validated in userspace, but since we do validate
> reply_struct_v in ceph_x_proc_ticket_reply(), tkt_struct_v (first) and
> CephXServiceTicket struct_v (second) in process_one_ticket(), validate
> CephXTicketBlob struct_v as well.
>
> Signed-off-by: Ilya Dryomov <idryomov@xxxxxxxxx>
Looks good. (I don't know what's valid but I know you do.)
Reviewed-by: Alex Elder <elder@xxxxxxxxxx>
> ---
> net/ceph/auth_x.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/net/ceph/auth_x.c b/net/ceph/auth_x.c
> index 2034fb926670..d0126df33f1f 100644
> --- a/net/ceph/auth_x.c
> +++ b/net/ceph/auth_x.c
> @@ -215,6 +215,9 @@ static int process_one_ticket(struct ceph_auth_client *ac,
> dout(" ticket blob is %d bytes\n", dlen);
> ceph_decode_need(ptp, tpend, 1 + sizeof(u64), bad);
> blob_struct_v = ceph_decode_8(ptp);
> + if (blob_struct_v != 1)
> + goto bad;
> +
> new_secret_id = ceph_decode_64(ptp);
> ret = ceph_decode_buffer(&new_ticket_blob, ptp, tpend);
> if (ret)
>
--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
