From: Xi Wang <xi.wang@gmail.com>
Date: Thu, 7 Jun 2012 00:35:55 +0000 (-0500)
Subject: libceph: fix overflow in __decode_pool_names()
X-Git-Tag: v3.6-rc1~36^2~108
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ad3b904c07dfa88603689bf9a67bffbb9b99beb5;p=pandora-kernel.git

libceph: fix overflow in __decode_pool_names()

`len' is read from network and thus needs validation.  Otherwise a
large `len' would cause out-of-bounds access via the memcpy() call.
In addition, len = 0xffffffff would overflow the kmalloc() size,
leading to out-of-bounds write.

This patch adds a check of `len' via ceph_decode_need().  Also use
kstrndup rather than kmalloc/memcpy.

[elder@inktank.com: added -ENOMEM return for null kstrndup() result]

Signed-off-by: Xi Wang <xi.wang@gmail.com>
Reviewed-by: Alex Elder <elder@inktank.com>
---

Reading git-diff-tree failed