libceph: prevent potential out-of-bounds reads in handle_auth_done()

Perform an explicit bounds check on payload_len to avoid a possible
out-of-bounds access in the callout.

[ idryomov: changelog ]

Cc: stable@vger.kernel.org
Signed-off-by: ziming zhang <ezrakiez@gmail.com>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>

diff --git a/net/ceph/messenger_v2.c b/net/ceph/messenger_v2.c
index 833e57849c1d74710956a621e2eb4fd0ec4b2bef..c9d50c0dcd33a6c21c84004b797da53cc545f120 100644 (file)
--- a/net/ceph/messenger_v2.c
+++ b/net/ceph/messenger_v2.c
@@ -2376,7 +2376,9 @@ static int process_auth_done(struct ceph_connection *con, void *p, void *end)
 
        ceph_decode_64_safe(&p, end, global_id, bad);
        ceph_decode_32_safe(&p, end, con->v2.con_mode, bad);
+
        ceph_decode_32_safe(&p, end, payload_len, bad);
+       ceph_decode_need(&p, end, payload_len, bad);
 
        dout("%s con %p global_id %llu con_mode %d payload_len %d\n",
             __func__, con, global_id, con->v2.con_mode, payload_len);