From: Ilya Dryomov Date: Thu, 13 Mar 2014 14:36:15 +0000 (+0200) Subject: libceph: fix crush_decode() call site in osdmap_decode() X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=9902e682c7f3df9ed5f60bc6f9c7efa6fd6b2d1d;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git libceph: fix crush_decode() call site in osdmap_decode() The size of the memory area feeded to crush_decode() should be limited not only by osdmap end, but also by the crush map length. Also, drop unnecessary dout() (dout() in crush_decode() conveys the same info) and step past crush map only if it is decoded successfully. Signed-off-by: Ilya Dryomov Reviewed-by: Alex Elder --- diff --git a/net/ceph/osdmap.c b/net/ceph/osdmap.c index c39ac624ccc3..d4a6b0df3627 100644 --- a/net/ceph/osdmap.c +++ b/net/ceph/osdmap.c @@ -802,16 +802,13 @@ static int osdmap_decode(void **p, void *end, struct ceph_osdmap *map) /* crush */ ceph_decode_32_safe(p, end, len, e_inval); - dout("osdmap_decode crush len %d from off 0x%x\n", len, - (int)(*p - start)); - ceph_decode_need(p, end, len, e_inval); - map->crush = crush_decode(*p, end); - *p += len; + map->crush = crush_decode(*p, min(*p + len, end)); if (IS_ERR(map->crush)) { err = PTR_ERR(map->crush); map->crush = NULL; goto bad; } + *p += len; /* ignore the rest */ *p = end;