drbd: Ensure that data_size is not 0 before using data_size-1 as index
authorPhilipp Reisner <philipp.reisner@linbit.com>
Wed, 28 Mar 2012 08:17:32 +0000 (10:17 +0200)
committerPhilipp Reisner <philipp.reisner@linbit.com>
Wed, 9 May 2012 13:16:56 +0000 (15:16 +0200)
This could be exploited by a peer which runs modified code.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Philipp Reisner <philipp.reisner@linbit.com>
Signed-off-by: Lars Ellenberg <lars.ellenberg@linbit.com>
drivers/block/drbd/drbd_receiver.c

index 9db93ff11c0284ad88304ef37af2315c3ed55051..017eeb745ed9d01f7ed5d37e3f05269f359e46d3 100644 (file)
@@ -2837,10 +2837,10 @@ static int receive_SyncParam(struct drbd_conf *mdev, enum drbd_packets cmd, unsi
 
        if (apv >= 88) {
                if (apv == 88) {
-                       if (data_size > SHARED_SECRET_MAX) {
-                               dev_err(DEV, "verify-alg too long, "
-                                   "peer wants %u, accepting only %u byte\n",
-                                               data_size, SHARED_SECRET_MAX);
+                       if (data_size > SHARED_SECRET_MAX || data_size == 0) {
+                               dev_err(DEV, "verify-alg of wrong size, "
+                                       "peer wants %u, accepting only up to %u byte\n",
+                                       data_size, SHARED_SECRET_MAX);
                                return false;
                        }