4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Dryomov idryomov@gmail.com
commit 130f52f2b203aa0aec179341916ffb2e905f3afd upstream.
Avoid scribbling over memory if the received reply/challenge is larger than the buffer supplied with the authorizer.
Signed-off-by: Ilya Dryomov idryomov@gmail.com Reviewed-by: Sage Weil sage@redhat.com Signed-off-by: Ben Hutchings ben.hutchings@codethink.co.uk Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- net/ceph/messenger.c | 7 +++++++ 1 file changed, 7 insertions(+)
--- a/net/ceph/messenger.c +++ b/net/ceph/messenger.c @@ -1738,6 +1738,13 @@ static int read_partial_connect(struct c
if (con->auth) { size = le32_to_cpu(con->in_reply.authorizer_len); + if (size > con->auth->authorizer_reply_buf_len) { + pr_err("authorizer reply too big: %d > %zu\n", size, + con->auth->authorizer_reply_buf_len); + ret = -EINVAL; + goto out; + } + end += size; ret = read_partial(con, end, size, con->auth->authorizer_reply_buf);