ceph: fix length validation in parse_reply_info()
authorXi Wang <xi.wang@gmail.com>
Sun, 15 Jan 2012 03:20:59 +0000 (22:20 -0500)
committerSage Weil <sage@newdream.net>
Thu, 2 Feb 2012 20:49:11 +0000 (12:49 -0800)
"len" is read from network and thus needs validation.  Otherwise, given
a bogus "len" value, p+len could be an out-of-bounds pointer, which is
used in further parsing.

Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Sage Weil <sage@newdream.net>
fs/ceph/mds_client.c

index 6203d805eb45061d20b5d8e08222f97aae6cd0a6..be1415fcaac82bd0bcf67f8bd6e8130fe17adb4e 100644 (file)
@@ -262,6 +262,7 @@ static int parse_reply_info(struct ceph_msg *msg,
        /* trace */
        ceph_decode_32_safe(&p, end, len, bad);
        if (len > 0) {
+               ceph_decode_need(&p, end, len, bad);
                err = parse_reply_info_trace(&p, p+len, info, features);
                if (err < 0)
                        goto out_bad;
@@ -270,6 +271,7 @@ static int parse_reply_info(struct ceph_msg *msg,
        /* extra */
        ceph_decode_32_safe(&p, end, len, bad);
        if (len > 0) {
+               ceph_decode_need(&p, end, len, bad);
                err = parse_reply_info_extra(&p, p+len, info, features);
                if (err < 0)
                        goto out_bad;