Commit d18a1247 authored by Ilya Dryomov's avatar Ilya Dryomov

libceph: validate blob_struct_v in process_one_ticket()

None of these are validated in userspace, but since we do validate
reply_struct_v in ceph_x_proc_ticket_reply(), tkt_struct_v (first) and
CephXServiceTicket struct_v (second) in process_one_ticket(), validate
CephXTicketBlob struct_v as well.
Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
Reviewed-by: default avatarAlex Elder <elder@linaro.org>
parent f3b4e55d
...@@ -215,6 +215,9 @@ static int process_one_ticket(struct ceph_auth_client *ac, ...@@ -215,6 +215,9 @@ static int process_one_ticket(struct ceph_auth_client *ac,
dout(" ticket blob is %d bytes\n", dlen); dout(" ticket blob is %d bytes\n", dlen);
ceph_decode_need(ptp, tpend, 1 + sizeof(u64), bad); ceph_decode_need(ptp, tpend, 1 + sizeof(u64), bad);
blob_struct_v = ceph_decode_8(ptp); blob_struct_v = ceph_decode_8(ptp);
if (blob_struct_v != 1)
goto bad;
new_secret_id = ceph_decode_64(ptp); new_secret_id = ceph_decode_64(ptp);
ret = ceph_decode_buffer(&new_ticket_blob, ptp, tpend); ret = ceph_decode_buffer(&new_ticket_blob, ptp, tpend);
if (ret) if (ret)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment