libceph: validate blob_struct_v in process_one_ticket()

None of these are validated in userspace, but since we do validate reply_struct_v in ceph_x_proc_ticket_reply(), tkt_struct_v (first) and CephXServiceTicket struct_v (second) in process_one_ticket(), validate CephXTicketBlob struct_v as well. Signed-off-by: Ilya Dryomov <idryomov@gmail.com> Reviewed-by: Alex Elder <elder@linaro.org>
2024-11-11 12:28:41 +08:00 · 2017-05-19 12:21:56 +02:00 · 2017-05-19 12:21:56 +02:00 · d18a1247c4
commit d18a1247c4
parent f3b4e55ded
1 changed files with 3 additions and 0 deletions
--- a/net/ceph/auth_x.c
+++ b/net/ceph/auth_x.c
@ -215,6 +215,9 @@ static int process_one_ticket(struct ceph_auth_client *ac,
 	dout(" ticket blob is %d bytes\n", dlen);
 	ceph_decode_need(ptp, tpend, 1 + sizeof(u64), bad);
 	blob_struct_v = ceph_decode_8(ptp);
+	if (blob_struct_v != 1)
+		goto bad;
+
 	new_secret_id = ceph_decode_64(ptp);
 	ret = ceph_decode_buffer(&new_ticket_blob, ptp, tpend);
 	if (ret)