ceph: fix bounds check in ceph_decode_need and ceph_encode_need
Given a large n, the bounds check (*p + n > end) can be bypassed due to
pointer wraparound. A safer check is (n > end - *p).
[elder@dreamhost.com: inverted test and renamed ceph_has_room()]
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Reviewed-by: Alex Elder <elder@dreamhost.com>
diff --git a/include/linux/ceph/decode.h b/include/linux/ceph/decode.h
index c5b6939..ecf324e 100644
--- a/include/linux/ceph/decode.h
+++ b/include/linux/ceph/decode.h
@@ -45,9 +45,14 @@
/*
* bounds check input.
*/
+static inline int ceph_has_room(void **p, void *end, size_t n)
+{
+ return end >= *p && n <= end - *p;
+}
+
#define ceph_decode_need(p, end, n, bad) \
do { \
- if (unlikely(*(p) + (n) > (end))) \
+ if (!likely(ceph_has_room(p, end, n))) \
goto bad; \
} while (0)
@@ -166,7 +171,7 @@
#define ceph_encode_need(p, end, n, bad) \
do { \
- if (unlikely(*(p) + (n) > (end))) \
+ if (!likely(ceph_has_room(p, end, n))) \
goto bad; \
} while (0)