Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / 5de738272e38f7051c7a44c42631b71a0e2a1e80^! / . / drivers
commit5de738272e38f7051c7a44c42631b71a0e2a1e80[log] [tgz]
authorPhilipp Reisner <philipp.reisner@linbit.com>Wed Mar 28 10:17:32 2012 +0200
committerPhilipp Reisner <philipp.reisner@linbit.com>Wed May 09 15:16:56 2012 +0200
tree8693bda089848c0fe3123b2ac1c46f9b89300d47
parent197296ffed71b7d5056d8618a07fec145b040303 [diff]
drbd: Ensure that data_size is not 0 before using data_size-1 as index

This could be exploited by a peer which runs modified code.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>

Signed-off-by: Philipp Reisner <philipp.reisner@linbit.com>
Signed-off-by: Lars Ellenberg <lars.ellenberg@linbit.com>

diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c
index 9db93ff..017eeb7 100644
--- a/drivers/block/drbd/drbd_receiver.c
+++ b/drivers/block/drbd/drbd_receiver.c

@@ -2837,10 +2837,10 @@
 
 	if (apv >= 88) {
 		if (apv == 88) {
-			if (data_size > SHARED_SECRET_MAX) {
-				dev_err(DEV, "verify-alg too long, "
-				    "peer wants %u, accepting only %u byte\n",
-						data_size, SHARED_SECRET_MAX);
+			if (data_size > SHARED_SECRET_MAX || data_size == 0) {
+				dev_err(DEV, "verify-alg of wrong size, "
+					"peer wants %u, accepting only up to %u byte\n",
+					data_size, SHARED_SECRET_MAX);
 				return false;
 			}