| Message ID | 20180801190350.857-8-idryomov@gmail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | libceph: support for cephx v2 | expand |
diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c index e915c8bce117..0a187196aeed 100644 --- a/net/ceph/messenger.c +++ b/net/ceph/messenger.c @@ -1782,6 +1782,13 @@ static int read_partial_connect(struct ceph_connection *con) if (con->auth) { size = le32_to_cpu(con->in_reply.authorizer_len); + if (size > con->auth->authorizer_reply_buf_len) { + pr_err("authorizer reply too big: %d > %zu\n", size, + con->auth->authorizer_reply_buf_len); + ret = -EINVAL; + goto out; + } + end += size; ret = read_partial(con, end, size, con->auth->authorizer_reply_buf);
Avoid scribbling over memory if the received reply/challenge is larger than the buffer supplied with the authorizer. Signed-off-by: Ilya Dryomov <idryomov@gmail.com> --- net/ceph/messenger.c | 7 +++++++ 1 file changed, 7 insertions(+)