The bounds check (*p + n > end) can be bypassed with a large n due to pointer wraparound, especially when n is read from network. Change the check to a safer form (n > end - *p).
Signed-off-by: Xi Wang <[email protected]> --- include/linux/ceph/decode.h | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) diff --git a/include/linux/ceph/decode.h b/include/linux/ceph/decode.h index c5b6939..c0b1e46 100644 --- a/include/linux/ceph/decode.h +++ b/include/linux/ceph/decode.h @@ -12,6 +12,11 @@ * void *end pointer to end of buffer (last byte + 1) */ +static inline int ceph_need(void **p, void *end, size_t n) +{ + return (end < *p) || (n > end - *p); +} + static inline u64 ceph_decode_64(void **p) { u64 v = get_unaligned_le64(*p); @@ -47,7 +52,7 @@ static inline void ceph_decode_copy(void **p, void *pv, size_t n) */ #define ceph_decode_need(p, end, n, bad) \ do { \ - if (unlikely(*(p) + (n) > (end))) \ + if (unlikely(ceph_need(p, end, n))) \ goto bad; \ } while (0) @@ -166,7 +171,7 @@ static inline void ceph_encode_string(void **p, void *end, #define ceph_encode_need(p, end, n, bad) \ do { \ - if (unlikely(*(p) + (n) > (end))) \ + if (unlikely(ceph_need(p, end, n))) \ goto bad; \ } while (0) -- 1.7.5.4 -- To unsubscribe from this list: send the line "unsubscribe ceph-devel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
