From: Xi Wang <xi.wang@gmail.com>
Date: Thu, 7 Jun 2012 00:35:55 +0000 (-0500)
Subject: libceph: fix overflow in osdmap_apply_incremental()
X-Git-Tag: v3.6-rc1~36^2~106
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a5506049500b30dbc5edb4d07a3577477c1f3643;p=pandora-kernel.git

libceph: fix overflow in osdmap_apply_incremental()

On 32-bit systems, a large `pglen' would overflow `pglen*sizeof(u32)'
and bypass the check ceph_decode_need(p, end, pglen*sizeof(u32), bad).
It would also overflow the subsequent kmalloc() size, leading to
out-of-bounds write.

Signed-off-by: Xi Wang <xi.wang@gmail.com>
Reviewed-by: Alex Elder <elder@inktank.com>
---

Reading git-diff-tree failed