ceph: fix bounds check in ceph_decode_need and ceph_encode_need
authorXi Wang <xi.wang@gmail.com>
Fri, 20 Apr 2012 20:49:44 +0000 (15:49 -0500)
committerAlex Elder <elder@dreamhost.com>
Mon, 14 May 2012 17:12:27 +0000 (12:12 -0500)
Given a large n, the bounds check (*p + n > end) can be bypassed due to
pointer wraparound.  A safer check is (n > end - *p).

[elder@dreamhost.com: inverted test and renamed ceph_has_room()]

Signed-off-by: Xi Wang <xi.wang@gmail.com>
Reviewed-by: Alex Elder <elder@dreamhost.com>
include/linux/ceph/decode.h

index c5b6939fb32af578501a280f73f2aa7b4276ac37..ecf324eb2c9a63b2a5a83e7f727555a9eb499440 100644 (file)
@@ -45,9 +45,14 @@ static inline void ceph_decode_copy(void **p, void *pv, size_t n)
 /*
  * bounds check input.
  */
+static inline int ceph_has_room(void **p, void *end, size_t n)
+{
+       return end >= *p && n <= end - *p;
+}
+
 #define ceph_decode_need(p, end, n, bad)               \
        do {                                            \
-               if (unlikely(*(p) + (n) > (end)))       \
+               if (!likely(ceph_has_room(p, end, n)))  \
                        goto bad;                       \
        } while (0)
 
@@ -166,7 +171,7 @@ static inline void ceph_encode_string(void **p, void *end,
 
 #define ceph_encode_need(p, end, n, bad)               \
        do {                                            \
-               if (unlikely(*(p) + (n) > (end)))       \
+               if (!likely(ceph_has_room(p, end, n)))  \
                        goto bad;                       \
        } while (0)