e91a9b639a
On 32-bit systems, a large `n' would overflow `n * sizeof(u32)' and bypass the check ceph_decode_need(p, end, n * sizeof(u32), bad). It would also overflow the subsequent kmalloc() size, leading to out-of-bounds write. Signed-off-by: Xi Wang <xi.wang@gmail.com> Reviewed-by: Alex Elder <elder@inktank.com> |
||
---|---|---|
.. | ||
crush | ||
armor.c | ||
auth.c | ||
auth_none.c | ||
auth_none.h | ||
auth_x.c | ||
auth_x.h | ||
auth_x_protocol.h | ||
buffer.c | ||
ceph_common.c | ||
ceph_fs.c | ||
ceph_hash.c | ||
ceph_strings.c | ||
crypto.c | ||
crypto.h | ||
debugfs.c | ||
Kconfig | ||
Makefile | ||
messenger.c | ||
mon_client.c | ||
msgpool.c | ||
osd_client.c | ||
osdmap.c | ||
pagelist.c | ||
pagevec.c |