Searched hist:ad3b904c (Results 1 – 1 of 1) sorted by relevance
/openbmc/linux/net/ceph/ |
H A D | osdmap.c | ad3b904c Wed Jun 06 19:35:55 CDT 2012 Xi Wang <xi.wang@gmail.com> libceph: fix overflow in __decode_pool_names()
`len' is read from network and thus needs validation. Otherwise a large `len' would cause out-of-bounds access via the memcpy() call. In addition, len = 0xffffffff would overflow the kmalloc() size, leading to out-of-bounds write.
This patch adds a check of `len' via ceph_decode_need(). Also use kstrndup rather than kmalloc/memcpy.
[elder@inktank.com: added -ENOMEM return for null kstrndup() result]
Signed-off-by: Xi Wang <xi.wang@gmail.com> Reviewed-by: Alex Elder <elder@inktank.com> ad3b904c Wed Jun 06 19:35:55 CDT 2012 Xi Wang <xi.wang@gmail.com> libceph: fix overflow in __decode_pool_names() `len' is read from network and thus needs validation. Otherwise a large `len' would cause out-of-bounds access via the memcpy() call. In addition, len = 0xffffffff would overflow the kmalloc() size, leading to out-of-bounds write. This patch adds a check of `len' via ceph_decode_need(). Also use kstrndup rather than kmalloc/memcpy. [elder@inktank.com: added -ENOMEM return for null kstrndup() result] Signed-off-by: Xi Wang <xi.wang@gmail.com> Reviewed-by: Alex Elder <elder@inktank.com>
|