diff options
| author | Ilya Dryomov <idryomov@gmail.com> | 2017-05-19 12:21:56 +0200 |
|---|---|---|
| committer | Ilya Dryomov <idryomov@gmail.com> | 2017-05-23 20:32:25 +0200 |
| commit | d18a1247c4070390fc0c2d83d89a72afe921882e (patch) | |
| tree | ff53595692f3e7d62dca8ca42a9918ffde10fab1 | |
| parent | f3b4e55ded9b3c52831a7d2ab9e511293c99fc11 (diff) | |
| download | op-kernel-dev-d18a1247c4070390fc0c2d83d89a72afe921882e.zip op-kernel-dev-d18a1247c4070390fc0c2d83d89a72afe921882e.tar.gz | |
libceph: validate blob_struct_v in process_one_ticket()
None of these are validated in userspace, but since we do validate
reply_struct_v in ceph_x_proc_ticket_reply(), tkt_struct_v (first) and
CephXServiceTicket struct_v (second) in process_one_ticket(), validate
CephXTicketBlob struct_v as well.
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Alex Elder <elder@linaro.org>
| -rw-r--r-- | net/ceph/auth_x.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/net/ceph/auth_x.c b/net/ceph/auth_x.c index 2034fb9..d0126df 100644 --- a/net/ceph/auth_x.c +++ b/net/ceph/auth_x.c @@ -215,6 +215,9 @@ static int process_one_ticket(struct ceph_auth_client *ac, dout(" ticket blob is %d bytes\n", dlen); ceph_decode_need(ptp, tpend, 1 + sizeof(u64), bad); blob_struct_v = ceph_decode_8(ptp); + if (blob_struct_v != 1) + goto bad; + new_secret_id = ceph_decode_64(ptp); ret = ceph_decode_buffer(&new_ticket_blob, ptp, tpend); if (ret) |
