ceph: fix length validation in parse_reply_info() "len" is read from network and thus needs validation. Otherwise, given a bogus "len" value, p+len could be an out-of-bounds pointer, which is used in further parsing. Signed-off-by: Xi Wang <xi.wang@gmail.com> Signed-off-by: Sage Weil <sage@newdream.net>

commit: 32852a81bccd9e3d1953b894966393d1b546576d [log] [tgz]
author: Xi Wang <xi.wang@gmail.com> Sat Jan 14 22:20:59 2012 -0500
committer: Sage Weil <sage@newdream.net> Thu Feb 02 12:49:11 2012 -0800
tree: 8c21ce9f1a1e6ecfbeafdcc8552b77b3587bca5b
parent: ab434b60ab07f8c44246b6fb0cddee436687a09a [diff] [blame]
diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
index 6203d80..be1415fc 100644
--- a/fs/ceph/mds_client.c
+++ b/fs/ceph/mds_client.c

@@ -262,6 +262,7 @@
 	/* trace */
 	ceph_decode_32_safe(&p, end, len, bad);
 	if (len > 0) {
+		ceph_decode_need(&p, end, len, bad);
 		err = parse_reply_info_trace(&p, p+len, info, features);
 		if (err < 0)
 			goto out_bad;
@@ -270,6 +271,7 @@
 	/* extra */
 	ceph_decode_32_safe(&p, end, len, bad);
 	if (len > 0) {
+		ceph_decode_need(&p, end, len, bad);
 		err = parse_reply_info_extra(&p, p+len, info, features);
 		if (err < 0)
 			goto out_bad;
commit	32852a81bccd9e3d1953b894966393d1b546576d	[log] [tgz]
author	Xi Wang <xi.wang@gmail.com>	Sat Jan 14 22:20:59 2012 -0500
committer	Sage Weil <sage@newdream.net>	Thu Feb 02 12:49:11 2012 -0800
tree	8c21ce9f1a1e6ecfbeafdcc8552b77b3587bca5b
parent	ab434b60ab07f8c44246b6fb0cddee436687a09a [diff] [blame]