From: Xi Wang Date: Fri, 20 Apr 2012 20:49:44 +0000 (-0500) Subject: ceph: fix bounds check in ceph_decode_need and ceph_encode_need X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=76aa542fb90e3e91edb1146d10ca7cf2cae8e7e9;p=GitHub%2Fmoto-9609%2Fandroid_kernel_motorola_exynos9610.git ceph: fix bounds check in ceph_decode_need and ceph_encode_need Given a large n, the bounds check (*p + n > end) can be bypassed due to pointer wraparound. A safer check is (n > end - *p). [elder@dreamhost.com: inverted test and renamed ceph_has_room()] Signed-off-by: Xi Wang Reviewed-by: Alex Elder --- diff --git a/include/linux/ceph/decode.h b/include/linux/ceph/decode.h index c5b6939fb32a..ecf324eb2c9a 100644 --- a/include/linux/ceph/decode.h +++ b/include/linux/ceph/decode.h @@ -45,9 +45,14 @@ static inline void ceph_decode_copy(void **p, void *pv, size_t n) /* * bounds check input. */ +static inline int ceph_has_room(void **p, void *end, size_t n) +{ + return end >= *p && n <= end - *p; +} + #define ceph_decode_need(p, end, n, bad) \ do { \ - if (unlikely(*(p) + (n) > (end))) \ + if (!likely(ceph_has_room(p, end, n))) \ goto bad; \ } while (0) @@ -166,7 +171,7 @@ static inline void ceph_encode_string(void **p, void *end, #define ceph_encode_need(p, end, n, bad) \ do { \ - if (unlikely(*(p) + (n) > (end))) \ + if (!likely(ceph_has_room(p, end, n))) \ goto bad; \ } while (0)