evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

drbd: Ensure that data_size is not 0 before using data_size-1 as index

Browse source 
This could be exploited by a peer which runs modified code.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>

Signed-off-by: Philipp Reisner <philipp.reisner@linbit.com>
Signed-off-by: Lars Ellenberg <lars.ellenberg@linbit.com>
This commit is contained in:
Philipp Reisner 2012-03-28 10:17:32 +02:00
parent 197296ffed
commit 5de738272e
1 changed files with 4 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
drivers/block/drbd/drbd_receiver.c
View file

@ -2837,9 +2837,9 @@ static int receive_SyncParam(struct drbd_conf *mdev, enum drbd_packets cmd, unsi
if (apv >= 88) { if (apv >= 88) {
if (apv == 88) { if (apv == 88) {
if (data_size > SHARED_SECRET_MAX) { if (data_size > SHARED_SECRET_MAX || data_size == 0) {
dev_err(DEV, "verify-alg too long, " dev_err(DEV, "verify-alg of wrong size, "
"peer wants %u, accepting only %u byte\n", "peer wants %u, accepting only up to %u byte\n",
data_size, SHARED_SECRET_MAX); data_size, SHARED_SECRET_MAX);
return false; return false;
} }