Avoid scribbling over memory if the received reply/challenge is larger
than the buffer supplied with the authorizer.
Signed-off-by: Ilya Dryomov <idryomov@xxxxxxxxx>
---
net/ceph/messenger.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
index e915c8bce117..0a187196aeed 100644
--- a/net/ceph/messenger.c
+++ b/net/ceph/messenger.c
@@ -1782,6 +1782,13 @@ static int read_partial_connect(struct ceph_connection *con)
if (con->auth) {
size = le32_to_cpu(con->in_reply.authorizer_len);
+ if (size > con->auth->authorizer_reply_buf_len) {
+ pr_err("authorizer reply too big: %d > %zu\n", size,
+ con->auth->authorizer_reply_buf_len);
+ ret = -EINVAL;
+ goto out;
+ }
+
end += size;
ret = read_partial(con, end, size,
con->auth->authorizer_reply_buf);
--
2.14.4
--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
