projects
/
GitHub
/
exynos8895
/
android_kernel_samsung_universal8895.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
| inline |
side by side
(parent:
065a68f
)
ceph: fix bounds check in ceph_decode_need and ceph_encode_need
author
Xi Wang
<xi.wang@gmail.com>
Fri, 20 Apr 2012 20:49:44 +0000
(15:49 -0500)
committer
Alex Elder
<elder@dreamhost.com>
Mon, 14 May 2012 17:12:27 +0000
(12:12 -0500)
Given a large n, the bounds check (*p + n > end) can be bypassed due to
pointer wraparound. A safer check is (n > end - *p).
[elder@dreamhost.com: inverted test and renamed ceph_has_room()]
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Reviewed-by: Alex Elder <elder@dreamhost.com>
include/linux/ceph/decode.h
patch
|
blob
|
blame
|
history
diff --git
a/include/linux/ceph/decode.h
b/include/linux/ceph/decode.h
index c5b6939fb32af578501a280f73f2aa7b4276ac37..ecf324eb2c9a63b2a5a83e7f727555a9eb499440 100644
(file)
--- a/
include/linux/ceph/decode.h
+++ b/
include/linux/ceph/decode.h
@@
-45,9
+45,14
@@
static inline void ceph_decode_copy(void **p, void *pv, size_t n)
/*
* bounds check input.
*/
+static inline int ceph_has_room(void **p, void *end, size_t n)
+{
+ return end >= *p && n <= end - *p;
+}
+
#define ceph_decode_need(p, end, n, bad) \
do { \
- if (
unlikely(*(p) + (n) > (end)))
\
+ if (
!likely(ceph_has_room(p, end, n)))
\
goto bad; \
} while (0)
@@
-166,7
+171,7
@@
static inline void ceph_encode_string(void **p, void *end,
#define ceph_encode_need(p, end, n, bad) \
do { \
- if (
unlikely(*(p) + (n) > (end)))
\
+ if (
!likely(ceph_has_room(p, end, n)))
\
goto bad; \
} while (0)