Commit 2cb33cac622afde897aa02d3dcd9fbba8bae839e
Committed by
Sage Weil
Sage Weil
1 parent
93faca6ef4
Exists in
master
and in
20 other branches
libceph: Fix NULL pointer dereference in auth client code
A malicious monitor can craft an auth reply message that could cause a NULL function pointer dereference in the client's kernel. To prevent this, the auth_none protocol handler needs an empty ceph_auth_client_ops->build_request() function. CVE-2013-1059 Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Reported-by: Chanam Park <chanam.park@hkpco.kr> Reviewed-by: Seth Arnold <seth.arnold@canonical.com> Reviewed-by: Sage Weil <sage@inktank.com> Cc: stable@vger.kernel.org
Showing 1 changed file with 6 additions and 0 deletions Side-by-side Diff
net/ceph/auth_none.c
| ... | ... | @@ -39,6 +39,11 @@ |
| 39 | 39 | return xi->starting; |
| 40 | 40 | } |
| 41 | 41 | |
| 42 | +static int build_request(struct ceph_auth_client *ac, void *buf, void *end) | |
| 43 | +{ | |
| 44 | + return 0; | |
| 45 | +} | |
| 46 | + | |
| 42 | 47 | /* |
| 43 | 48 | * the generic auth code decode the global_id, and we carry no actual |
| 44 | 49 | * authenticate state, so nothing happens here. |
| ... | ... | @@ -106,6 +111,7 @@ |
| 106 | 111 | .destroy = destroy, |
| 107 | 112 | .is_authenticated = is_authenticated, |
| 108 | 113 | .should_authenticate = should_authenticate, |
| 114 | + .build_request = build_request, | |
| 109 | 115 | .handle_reply = handle_reply, |
| 110 | 116 | .create_authorizer = ceph_auth_none_create_authorizer, |
| 111 | 117 | .destroy_authorizer = ceph_auth_none_destroy_authorizer, |