a5506049500b30dbc5edb4d07a3577477c1f3643 - kernel/msm-4.19

commit	a5506049500b30dbc5edb4d07a3577477c1f3643	[log] [tgz]
author	Xi Wang <xi.wang@gmail.com>	Wed Jun 06 19:35:55 2012 -0500
committer	Alex Elder <elder@dreamhost.com>	Thu Jun 07 08:28:16 2012 -0500
tree	e0229258f8f389c790f29af687cf5c13911c9bf3
parent	e91a9b639a691e0982088b5954eaafb5a25c8f1c [diff]

libceph: fix overflow in osdmap_apply_incremental()

On 32-bit systems, a large `pglen' would overflow `pglen*sizeof(u32)'
and bypass the check ceph_decode_need(p, end, pglen*sizeof(u32), bad).
It would also overflow the subsequent kmalloc() size, leading to
out-of-bounds write.

Signed-off-by: Xi Wang <xi.wang@gmail.com>
Reviewed-by: Alex Elder <elder@inktank.com>

net/ceph/osdmap.c[diff]

1 file changed

tree: e0229258f8f389c790f29af687cf5c13911c9bf3