[PATCH 4.9 057/101] libceph: check authorizer reply/challenge length before reading

From: Greg Kroah-Hartman
Date: Thu Dec 06 2018 - 09:46:19 EST


4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Ilya Dryomov <idryomov@xxxxxxxxx>

commit 130f52f2b203aa0aec179341916ffb2e905f3afd upstream.

Avoid scribbling over memory if the received reply/challenge is larger
than the buffer supplied with the authorizer.

Signed-off-by: Ilya Dryomov <idryomov@xxxxxxxxx>
Reviewed-by: Sage Weil <sage@xxxxxxxxxx>
Signed-off-by: Ben Hutchings <ben.hutchings@xxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
net/ceph/messenger.c | 7 +++++++
1 file changed, 7 insertions(+)

--- a/net/ceph/messenger.c
+++ b/net/ceph/messenger.c
@@ -1738,6 +1738,13 @@ static int read_partial_connect(struct c

if (con->auth) {
size = le32_to_cpu(con->in_reply.authorizer_len);
+ if (size > con->auth->authorizer_reply_buf_len) {
+ pr_err("authorizer reply too big: %d > %zu\n", size,
+ con->auth->authorizer_reply_buf_len);
+ ret = -EINVAL;
+ goto out;
+ }
+
end += size;
ret = read_partial(con, end, size,
con->auth->authorizer_reply_buf);