diff options
| author | Raphael Zimmer <raphael.zimmer@tu-ilmenau.de> | 2026-03-18 20:09:03 +0300 |
|---|---|---|
| committer | Ilya Dryomov <idryomov@gmail.com> | 2026-04-22 02:40:22 +0300 |
| commit | 5199c125d25aeae8615c4fc31652cc0fe624338e (patch) | |
| tree | de1aeb54db56bb385db7bbecc539d158ed97c061 | |
| parent | 028ef9c96e96197026887c0f092424679298aae8 (diff) | |
| download | linux-5199c125d25aeae8615c4fc31652cc0fe624338e.tar.xz | |
libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()
If a message of type CEPH_MSG_AUTH_REPLY contains a zero value for both
protocol and result, this is currently not treated as an error. In case
of ac->negotiating == true and ac->protocol > 0, this leads to setting
ac->protocol = 0 and ac->ops = NULL. Thereafter, the check for
ac->protocol != protocol returns false, and init_protocol() is not
called. Subsequently, ac->ops->handle_reply() is called, which leads to
a null pointer dereference, because ac->ops is still NULL.
This patch changes the check for ac->protocol != protocol to
!ac->protocol, as this also includes the case when the protocol was set
to zero in the message. This causes the message to be treated as
containing a bad auth protocol.
Cc: stable@vger.kernel.org
Signed-off-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
| -rw-r--r-- | net/ceph/auth.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/ceph/auth.c b/net/ceph/auth.c index 901b93530b21..3314705e5914 100644 --- a/net/ceph/auth.c +++ b/net/ceph/auth.c @@ -245,7 +245,7 @@ int ceph_handle_auth_reply(struct ceph_auth_client *ac, ac->protocol = 0; ac->ops = NULL; } - if (ac->protocol != protocol) { + if (!ac->protocol) { ret = init_protocol(ac, protocol); if (ret) { pr_err("auth protocol '%s' init failed: %d\n", |