From: Dan Carpenter Date: Thu, 13 Jul 2017 07:45:17 +0000 (+0300) Subject: libceph: NULL deref on osdmap_apply_incremental() error path X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=00c8ebb360937bbc5da02929d62fcbf6a72801eb;p=GitHub%2Fmoto-9609%2Fandroid_kernel_motorola_exynos9610.git libceph: NULL deref on osdmap_apply_incremental() error path There are hidden gotos in the ceph_decode_* macros. We need to set the "err" variable on these error paths otherwise we end up returning ERR_PTR(0) which is NULL. It causes NULL dereferences in the callers. Fixes: 6f428df47dae ("libceph: pg_upmap[_items] infrastructure") Signed-off-by: Dan Carpenter [idryomov@gmail.com: similar bug in osdmap_decode(), changelog tweak] Signed-off-by: Ilya Dryomov --- diff --git a/net/ceph/osdmap.c b/net/ceph/osdmap.c index 864789c5974e..3ffc7a1fd8b1 100644 --- a/net/ceph/osdmap.c +++ b/net/ceph/osdmap.c @@ -1544,7 +1544,7 @@ static int osdmap_decode(void **p, void *end, struct ceph_osdmap *map) if (struct_v >= 3) { /* erasure_code_profiles */ ceph_decode_skip_map_of_map(p, end, string, string, string, - bad); + e_inval); } if (struct_v >= 4) { @@ -1825,9 +1825,9 @@ struct ceph_osdmap *osdmap_apply_incremental(void **p, void *end, if (struct_v >= 3) { /* new_erasure_code_profiles */ ceph_decode_skip_map_of_map(p, end, string, string, string, - bad); + e_inval); /* old_erasure_code_profiles */ - ceph_decode_skip_set(p, end, string, bad); + ceph_decode_skip_set(p, end, string, e_inval); } if (struct_v >= 4) {