libceph: validate blob_struct_v in process_one_ticket()

None of these are validated in userspace, but since we do validate
reply_struct_v in ceph_x_proc_ticket_reply(), tkt_struct_v (first) and
CephXServiceTicket struct_v (second) in process_one_ticket(), validate
CephXTicketBlob struct_v as well.

Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Alex Elder <elder@linaro.org>

diff --git a/net/ceph/auth_x.c b/net/ceph/auth_x.c
index 2034fb9266700e6b456b141db9b5d264aed77d62..d0126df33f1fddc0700f54d7f33b01ef0a264ef3 100644 (file)
--- a/net/ceph/auth_x.c
+++ b/net/ceph/auth_x.c
@@ -215,6 +215,9 @@ static int process_one_ticket(struct ceph_auth_client *ac,
        dout(" ticket blob is %d bytes\n", dlen);
        ceph_decode_need(ptp, tpend, 1 + sizeof(u64), bad);
        blob_struct_v = ceph_decode_8(ptp);
+       if (blob_struct_v != 1)
+               goto bad;
+
        new_secret_id = ceph_decode_64(ptp);
        ret = ceph_decode_buffer(&new_ticket_blob, ptp, tpend);
        if (ret)