projects / thirdparty / kernel / stable-queue.git / blame
| Commit | Line | Data |
|---|---|---|
| f800b258 GKH |
1 | From foo@baz Thu Dec 6 15:27:31 CET 2018 |
| 2 | From: Ilya Dryomov <idryomov@gmail.com> | |
| 3 | Date: Fri, 27 Jul 2018 19:45:36 +0200 | |
| 4 | Subject: libceph: weaken sizeof check in ceph_x_verify_authorizer_reply() | |
| 5 | ||
| 6 | From: Ilya Dryomov <idryomov@gmail.com> | |
| 7 | ||
| 8 | commit f1d10e04637924f2b00a0fecdd2ca4565f5cfc3f upstream. | |
| 9 | ||
| 10 | Allow for extending ceph_x_authorize_reply in the future. | |
| 11 | ||
| 12 | Signed-off-by: Ilya Dryomov <idryomov@gmail.com> | |
| 13 | Reviewed-by: Sage Weil <sage@redhat.com> | |
| 14 | Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk> | |
| 15 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
| 16 | --- | |
| 17 | net/ceph/auth_x.c | 6 ++++-- | |
| 18 | 1 file changed, 4 insertions(+), 2 deletions(-) | |
| 19 | ||
| 20 | --- a/net/ceph/auth_x.c | |
| 21 | +++ b/net/ceph/auth_x.c | |
| 22 | @@ -733,8 +733,10 @@ static int ceph_x_verify_authorizer_repl | |
| 23 | ret = ceph_x_decrypt(&au->session_key, &p, p + CEPHX_AU_ENC_BUF_LEN); | |
| 24 | if (ret < 0) | |
| 25 | return ret; | |
| 26 | - if (ret != sizeof(*reply)) | |
| 27 | - return -EPERM; | |
| 28 | + if (ret < sizeof(*reply)) { | |
| 29 | + pr_err("bad size %d for ceph_x_authorize_reply\n", ret); | |
| 30 | + return -EINVAL; | |
| 31 | + } | |
| 32 | ||
| 33 | if (au->nonce + 1 != le64_to_cpu(reply->nonce_plus_one)) | |
| 34 | ret = -EPERM; |