diff options
| author | Ilya Dryomov <[email protected]> | 2023-07-10 20:39:29 +0200 |
|---|---|---|
| committer | Ilya Dryomov <[email protected]> | 2023-07-13 13:18:57 +0200 |
| commit | a282a2f10539dce2aa619e71e1817570d557fc97 (patch) | |
| tree | 1fed5166a21680b0e1b02f74a18579b78086bdf9 /tools/testing/selftests/bpf/progs/test_prog_array_init.c | |
| parent | 06c2afb862f9da8dc5efa4b6076a0e48c3fbaaa5 (diff) | |
libceph: harden msgr2.1 frame segment length checks
ceph_frame_desc::fd_lens is an int array. decode_preamble() thus
effectively casts u32 -> int but the checks for segment lengths are
written as if on unsigned values. While reading in HELLO or one of the
AUTH frames (before authentication is completed), arithmetic in
head_onwire_len() can get duped by negative ctrl_len and produce
head_len which is less than CEPH_PREAMBLE_LEN but still positive.
This would lead to a buffer overrun in prepare_read_control() as the
preamble gets copied to the newly allocated buffer of size head_len.
Cc: [email protected]
Fixes: cd1a677cad99 ("libceph, ceph: implement msgr2.1 protocol (crc and secure modes)")
Reported-by: Thelford Williams <[email protected]>
Signed-off-by: Ilya Dryomov <[email protected]>
Reviewed-by: Xiubo Li <[email protected]>
Diffstat (limited to 'tools/testing/selftests/bpf/progs/test_prog_array_init.c')
0 files changed, 0 insertions, 0 deletions