| commit | e91a9b639a691e0982088b5954eaafb5a25c8f1c | [log] [tgz] |
|---|---|---|
| author | Xi Wang <xi.wang@gmail.com> | Wed Jun 06 19:35:55 2012 -0500 |
| committer | Alex Elder <elder@dreamhost.com> | Thu Jun 07 08:28:10 2012 -0500 |
| tree | 3ffdd2430ba72fefa9d8fb7eef73625d395de01d | |
| parent | ad3b904c07dfa88603689bf9a67bffbb9b99beb5 [diff] |
libceph: fix overflow in osdmap_decode() On 32-bit systems, a large `n' would overflow `n * sizeof(u32)' and bypass the check ceph_decode_need(p, end, n * sizeof(u32), bad). It would also overflow the subsequent kmalloc() size, leading to out-of-bounds write. Signed-off-by: Xi Wang <xi.wang@gmail.com> Reviewed-by: Alex Elder <elder@inktank.com>