summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPhilipp Reisner <philipp.reisner@linbit.com>2012-03-28 10:17:32 +0200
committerPhilipp Reisner <philipp.reisner@linbit.com>2012-05-09 15:16:56 +0200
commit5de738272e38f7051c7a44c42631b71a0e2a1e80 (patch)
tree8693bda089848c0fe3123b2ac1c46f9b89300d47
parent197296ffed71b7d5056d8618a07fec145b040303 (diff)
downloadlwn-5de738272e38f7051c7a44c42631b71a0e2a1e80.tar.gz
lwn-5de738272e38f7051c7a44c42631b71a0e2a1e80.zip
drbd: Ensure that data_size is not 0 before using data_size-1 as index
This could be exploited by a peer which runs modified code. Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Philipp Reisner <philipp.reisner@linbit.com> Signed-off-by: Lars Ellenberg <lars.ellenberg@linbit.com>
-rw-r--r--drivers/block/drbd/drbd_receiver.c8
1 files changed, 4 insertions, 4 deletions
diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c
index 9db93ff11c02..017eeb745ed9 100644
--- a/drivers/block/drbd/drbd_receiver.c
+++ b/drivers/block/drbd/drbd_receiver.c
@@ -2837,10 +2837,10 @@ static int receive_SyncParam(struct drbd_conf *mdev, enum drbd_packets cmd, unsi
if (apv >= 88) {
if (apv == 88) {
- if (data_size > SHARED_SECRET_MAX) {
- dev_err(DEV, "verify-alg too long, "
- "peer wants %u, accepting only %u byte\n",
- data_size, SHARED_SECRET_MAX);
+ if (data_size > SHARED_SECRET_MAX || data_size == 0) {
+ dev_err(DEV, "verify-alg of wrong size, "
+ "peer wants %u, accepting only up to %u byte\n",
+ data_size, SHARED_SECRET_MAX);
return false;
}