libceph: Fix potential out-of-bounds access in osdmap_decode()

When decoding osd_state and osd_weight from an incoming osdmap in
osdmap_decode(), both are decoded for each osd, i.e., map->max_osd
times. The ceph_decode_need() check only accounts for
sizeof(*map->osd_weight) once. This can potentially result in an
out-of-bounds memory access if the incoming message is corrupted such
that the max_osd value exceeds the actual content of the osdmap message.

This patch fixes the issue by changing the corresponding part in the
ceph_decode_need() check to account for
map->max_osd*sizeof(*map->osd_weight).

Cc: stable@vger.kernel.org
Fixes: dcbc919a5dc8 ("libceph: switch osdmap decoding to use ceph_decode_entity_addr")
Signed-off-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>

diff --git a/net/ceph/osdmap.c b/net/ceph/osdmap.c
index 669348d883f09b2d55be60d2e7c4eb49a2b38a95..2095e73ccf6c9397e53f166ed8c849025960942e 100644 (file)
--- a/net/ceph/osdmap.c
+++ b/net/ceph/osdmap.c
@@ -1705,7 +1705,7 @@ static int osdmap_decode(void **p, void *end, bool msgr2,
        ceph_decode_need(p, end, 3*sizeof(u32) +
                         map->max_osd*(struct_v >= 5 ? sizeof(u32) :
                                                       sizeof(u8)) +
-                                      sizeof(*map->osd_weight), e_inval);
+                        map->max_osd*sizeof(*map->osd_weight), e_inval);
        if (ceph_decode_32(p) != map->max_osd)
                goto e_inval;