Commit 7fce830e authored by ziming zhang's avatar ziming zhang Committed by Ilya Dryomov
Browse files

libceph: prevent potential out-of-bounds writes in handle_auth_session_key() 



The len field originates from untrusted network packets. Boundary
checks have been added to prevent potential out-of-bounds writes when
decrypting the connection secret or processing service tickets.

[ idryomov: changelog ]

Cc: stable@vger.kernel.org
Signed-off-by: default avatarziming zhang <ezrakiez@gmail.com>
Reviewed-by: default avatarIlya Dryomov <idryomov@gmail.com>
Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
parent ec3797f0

net/ceph/auth_x.c

+2 −0
Original line number Diff line number Diff line
@@ -631,6 +631,7 @@ static int handle_auth_session_key(struct ceph_auth_client *ac, u64 global_id, 


	/* connection secret */

	ceph_decode_32_safe(p, end, len, e_inval);

	ceph_decode_need(p, end, len, e_inval);

	dout("%s connection secret blob len %d\n", __func__, len);

	if (len > 0) {

		dp = *p + ceph_x_encrypt_offset();
@@ -648,6 +649,7 @@ static int handle_auth_session_key(struct ceph_auth_client *ac, u64 global_id, 


	/* service tickets */

	ceph_decode_32_safe(p, end, len, e_inval);

	ceph_decode_need(p, end, len, e_inval);

	dout("%s service tickets blob len %d\n", __func__, len);

	if (len > 0) {

		ret = ceph_x_proc_ticket_reply(ac, &th->session_key,