git-server-git.apps.pok.os.sepia.ceph.com Git

author	Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
	Tue, 16 Sep 2025 18:58:28 +0000 (11:58 -0700)
committer	Ilya Dryomov <idryomov@gmail.com>
	Wed, 11 Feb 2026 18:19:17 +0000 (19:19 +0100)
commit	709187a80fbdb8545c8dc1c952904cfbf46a0933
tree	7ac67b5a1df60b9609d32bed953c82cf5653a0c0	tree \| snapshot
parent	ae1ddf5b7d42293d099b5e5a045a63ba2a748b44	commit \| diff

ceph: fix potential overflow in parse_reply_info_dir()

The parse_reply_info_dir() logic tries to parse
a dir fragment:

struct ceph_mds_reply_dirfrag {
__le32 frag;            /* fragment */
__le32 auth;            /* auth mds, if this is a delegation point */
__le32 ndist;           /* number of mds' this is replicated on */
__le32 dist[];
} __attribute__ ((packed));

Potentially, ndist field could be corrupted or to have
invalid or malicious value. As a result, this logic
could result in overflow:

*p += sizeof(**dirfrag) + sizeof(u32) * le32_to_cpu((*dirfrag)->ndist);

Al Viro suggested the initial vision of the fix.
The suggested fix was partially reworked.

This patch adds the checking that ndist is not bigger
than (U32_MAX / sizeof(u32)) and to check that we have
enough space in memory buffer by means of ceph_decode_need().

Reported-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
cc: Alex Markuze <amarkuze@redhat.com>
cc: Ilya Dryomov <idryomov@gmail.com>
cc: Ceph Development <ceph-devel@vger.kernel.org>