[PATCH RESEND] ceph: fix bounds checking macros
From: Xi Wang
Date: Sun Jan 15 2012 - 01:12:37 EST
The bounds check (*p + n > end) can be bypassed with a large n due to
pointer wraparound, especially when n is read from network. Change the
check to a safer form (n > end - *p).
Signed-off-by: Xi Wang <xi.wang@xxxxxxxxx>
---
include/linux/ceph/decode.h | 9 +++++++--
1 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/include/linux/ceph/decode.h b/include/linux/ceph/decode.h
index c5b6939..c0b1e46 100644
--- a/include/linux/ceph/decode.h
+++ b/include/linux/ceph/decode.h
@@ -12,6 +12,11 @@
* void *end pointer to end of buffer (last byte + 1)
*/
+static inline int ceph_need(void **p, void *end, size_t n)
+{
+ return (end < *p) || (n > end - *p);
+}
+
static inline u64 ceph_decode_64(void **p)
{
u64 v = get_unaligned_le64(*p);
@@ -47,7 +52,7 @@ static inline void ceph_decode_copy(void **p, void *pv, size_t n)
*/
#define ceph_decode_need(p, end, n, bad) \
do { \
- if (unlikely(*(p) + (n) > (end))) \
+ if (unlikely(ceph_need(p, end, n))) \
goto bad; \
} while (0)
@@ -166,7 +171,7 @@ static inline void ceph_encode_string(void **p, void *end,
#define ceph_encode_need(p, end, n, bad) \
do { \
- if (unlikely(*(p) + (n) > (end))) \
+ if (unlikely(ceph_need(p, end, n))) \
goto bad; \
} while (0)
--
1.7.5.4
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/