libceph: check authorizer reply/challenge length before reading

commit 130f52f2 upstream. Avoid scribbling over memory if the received reply/challenge is larger than the buffer supplied with the authorizer. Signed-off-by: Ilya Dryomov <idryomov@gmail.com> Reviewed-by: Sage Weil <sage@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

libceph: check authorizer reply/challenge length before reading
commit 130f52f2 upstream. Avoid scribbling over memory if the received reply/challenge is larger than the buffer supplied with the authorizer. Signed-off-by: Ilya Dryomov <idryomov@gmail.com> Reviewed-by: Sage Weil <sage@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
0c5f2e89 · Ilya Dryomov · Greg Kroah-Hartman · 14118df4 · 0c5f2e89
Commit 0c5f2e89 authored Jul 27, 2018 by Ilya Dryomov Committed by Greg Kroah-Hartman Dec 05, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 0 deletions

net/ceph/messenger.c net/ceph/messenger.c +7 -0

No files found.
--- a/net/ceph/messenger.c
+++ b/net/ceph/messenger.c
@@ -1754,6 +1754,13 @@ static int read_partial_connect(struct ceph_connection *con)

 	if (con->auth) {
 		size = le32_to_cpu(con->in_reply.authorizer_len);
+		if (size > con->auth->authorizer_reply_buf_len) {
+			pr_err("authorizer reply too big: %d > %zu\n", size,
+			       con->auth->authorizer_reply_buf_len);
+			ret = -EINVAL;
+			goto out;
+		}
+
 		end += size;
 		ret = read_partial(con, end, size,
 				   con->auth->authorizer_reply_buf);