libceph: prevent potential out-of-bounds reads in handle_auth_done()

commit 818156caffbf55cb4d368f9c3cac64e458fb49c9 upstream. Perform an explicit bounds check on payload_len to avoid a possible out-of-bounds access in the callout. [ idryomov: changelog ] Cc: stable@vger.kernel.org Signed-off-by: ziming zhang <ezrakiez@gmail.com> Reviewed-by: Ilya Dryomov <idryomov@gmail.com> Signed-off-by: Ilya Dryomov <idryomov@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: ziming zhang <ezrakiez@gmail.com> 2025-12-11 16:52:58 +0800
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2026-01-17 16:31:17 +0100
commit: 2802ef3380fa8c4a08cda51ec1f085b1a712e9e2 (patch)
tree: 75119da62c243a227498e71e8a3688f297261ec4
parent: f94f95b8173605c305e1e33758a34a1dc08d3c8c (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/net/ceph/messenger_v2.c b/net/ceph/messenger_v2.c
index 3ae0cca89ab8..f163283abc4e 100644
--- a/net/ceph/messenger_v2.c
+++ b/net/ceph/messenger_v2.c
@@ -2405,7 +2405,9 @@ static int process_auth_done(struct ceph_connection *con, void *p, void *end)
 
 	ceph_decode_64_safe(&p, end, global_id, bad);
 	ceph_decode_32_safe(&p, end, con->v2.con_mode, bad);
+
 	ceph_decode_32_safe(&p, end, payload_len, bad);
+	ceph_decode_need(&p, end, payload_len, bad);
 
 	dout("%s con %p global_id %llu con_mode %d payload_len %d\n",
 	     __func__, con, global_id, con->v2.con_mode, payload_len);
author	ziming zhang <ezrakiez@gmail.com>	2025-12-11 16:52:58 +0800
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2026-01-17 16:31:17 +0100
commit	2802ef3380fa8c4a08cda51ec1f085b1a712e9e2 (patch)
tree	75119da62c243a227498e71e8a3688f297261ec4
parent	f94f95b8173605c305e1e33758a34a1dc08d3c8c (diff)