libceph: check authorizer reply/challenge length before reading

commit 130f52f2b203aa0aec179341916ffb2e905f3afd upstream.

Avoid scribbling over memory if the received reply/challenge is larger
than the buffer supplied with the authorizer.

Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Sage Weil <sage@redhat.com>
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
index d3ceb13ec3d993f1339db1bc11b05b57ed4ea5c8..5a8075d9f2e7e3d9612a3d6e185063e9ac3ea1e0 100644 (file)
--- a/net/ceph/messenger.c
+++ b/net/ceph/messenger.c
@@ -1738,6 +1738,13 @@ static int read_partial_connect(struct ceph_connection *con)
 
        if (con->auth) {
                size = le32_to_cpu(con->in_reply.authorizer_len);
+               if (size > con->auth->authorizer_reply_buf_len) {
+                       pr_err("authorizer reply too big: %d > %zu\n", size,
+                              con->auth->authorizer_reply_buf_len);
+                       ret = -EINVAL;
+                       goto out;
+               }
+
                end += size;
                ret = read_partial(con, end, size,
                                   con->auth->authorizer_reply_buf);