ceph: fix bounds check in ceph_decode_need and ceph_encode_need

Given a large n, the bounds check (*p + n > end) can be bypassed due to pointer wraparound. A safer check is (n > end - *p). [elder@dreamhost.com: inverted test and renamed ceph_has_room()] Signed-off-by: Xi Wang <xi.wang@gmail.com> Reviewed-by: Alex Elder <elder@dreamhost.com>

ceph: fix bounds check in ceph_decode_need and ceph_encode_need
Given a large n, the bounds check (*p + n > end) can be bypassed due to pointer wraparound. A safer check is (n > end - *p). [elder@dreamhost.com: inverted test and renamed ceph_has_room()] Signed-off-by: Xi Wang <xi.wang@gmail.com> Reviewed-by: Alex Elder <elder@dreamhost.com>
76aa542f · Xi Wang · Alex Elder · 065a68f9 · 76aa542f
Commit 76aa542f authored Apr 20, 2012 by Xi Wang Committed by Alex Elder May 14, 2012
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 2 deletions

include/linux/ceph/decode.h include/linux/ceph/decode.h +7 -2

No files found.
--- a/include/linux/ceph/decode.h
+++ b/include/linux/ceph/decode.h
@@ -45,9 +45,14 @@ static inline void ceph_decode_copy(void **p, void *pv, size_t n)
 /*
 * bounds check input.
 */
+static inline int ceph_has_room(void **p, void *end, size_t n)
+{
+	return end >= *p && n <= end - *p;
+}
+
 #define ceph_decode_need(p, end, n, bad)		\
 	do {						\
-		if (unlikely(*(p) + (n) > (end))) 	\
+		if (!likely(ceph_has_room(p, end, n)))	\
 			goto bad;			\
 	} while (0)

@@ -166,7 +171,7 @@ static inline void ceph_encode_string(void **p, void *end,

 #define ceph_encode_need(p, end, n, bad)		\
 	do {						\
-		if (unlikely(*(p) + (n) > (end))) 	\
+		if (!likely(ceph_has_room(p, end, n)))	\
 			goto bad;			\
 	} while (0)