From: Alex Elder <elder@inktank.com>
To: Xi Wang <xi.wang@gmail.com>
Cc: Sage Weil <sage@newdream.net>, ceph-devel@vger.kernel.org
Subject: Re: [PATCH 2/3] libceph: fix overflow in osdmap_decode()
Date: Wed, 06 Jun 2012 14:14:59 -0500 [thread overview]
Message-ID: <4FCFAC33.6020003@inktank.com> (raw)
In-Reply-To: <16A6B85A-9BD1-4242-95CD-5ACFC43956F4@gmail.com>
On 06/06/2012 12:56 PM, Xi Wang wrote:
> On Jun 6, 2012, at 12:26 PM, Alex Elder wrote:
>>
>> Just above here we see:
>> /* pg_temp */
>> ceph_decode_32_safe(p, end, len, bad);
>> for (i = 0; i < len; i++) {
>>
>> We haven't validated "len" here either. Looking at it I'm not sure
>> we can do much, but I think we do know a few things should be true:
>> - (len & (sizeof (u32) - 1)) == 0
>> - len <= (UINT_MAX / (sizeof (struct ceph_pg) + sizeof (u32)))
>> and further, if it's invalid to have a value for pg->len of
>> zero, then we can instead assert:
>> - len <= (UINT_MAX / (sizeof (struct ceph_pg) + 2 * sizeof (u32)))
>>
>> I don't know if it's that important do do a check like this though.
>
> I don't see any overflow issue here. Are you worried about the loop
> running for a while given a large n? How about this check?
Not an overflow check, but a validity check nevertheless.
> /* pg_temp */
> ceph_decode_32_safe(p, end, len, bad);
> + if (len > UINT_MAX / (sizeof(u32) + sizeof(u64)))
> + goto bad;
That part is sufficient, though I'd prefer sizeof (ceph_pg) both
here and in the line that follows, rather than sizeof (u64).
> + ceph_decode_need(p, end, len * (sizeof(u32) + sizeof(u64)), bad);
This isn't necessary--I was not looking for overflow, just for
some sanity checking on the value that came in from the wire.
It probably won't matter because in time if the value is too large
then one of the checks inside the loop might bail out. But catching
it as early as possible is always better.
I'm not too concerned about it. I may get around to implement
fixes like this myself, but would probably do it comprehensively
if I do.
-Alex
next prev parent reply other threads:[~2012-06-06 19:14 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-04-29 6:59 [PATCH 1/3] ligceph: fix overflow in __decode_pool_names() Xi Wang
2012-04-29 6:59 ` [PATCH 2/3] libceph: fix overflow in osdmap_decode() Xi Wang
2012-06-06 16:26 ` Alex Elder
2012-06-06 17:56 ` Xi Wang
2012-06-06 19:14 ` Alex Elder [this message]
2012-06-06 19:20 ` Xi Wang
2012-04-29 6:59 ` [PATCH 3/3] libceph: fix overflow in osdmap_apply_incremental() Xi Wang
2012-06-06 16:26 ` Alex Elder
2012-04-29 7:07 ` [PATCH v2 1/3] libceph: fix overflow in __decode_pool_names() Xi Wang
2012-06-06 16:26 ` Alex Elder
2012-06-06 17:54 ` Xi Wang
2012-06-06 19:14 ` Alex Elder
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4FCFAC33.6020003@inktank.com \
--to=elder@inktank.com \
--cc=ceph-devel@vger.kernel.org \
--cc=sage@newdream.net \
--cc=xi.wang@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.