[PATCH 6.17 140/146] libceph: prevent potential out-of-bounds writes in handle_auth_session_key()

3 Dec 2025

6.17-stable review patch.  If anyone has any objections, please let me know.
------------------
From: ziming zhang ezrakiez@gmail.com
commit 7fce830ecd0a0256590ee37eb65a39cbad3d64fc upstream.
The len field originates from untrusted network packets. Boundary
checks have been added to prevent potential out-of-bounds writes when
decrypting the connection secret or processing service tickets.
[ idryomov: changelog ]
Cc: stable@vger.kernel.org
Signed-off-by: ziming zhang ezrakiez@gmail.com
Reviewed-by: Ilya Dryomov idryomov@gmail.com
Signed-off-by: Ilya Dryomov idryomov@gmail.com
Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
---
 net/ceph/auth_x.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/net/ceph/auth_x.c
+++ b/net/ceph/auth_x.c
@@ -631,6 +631,7 @@ static int handle_auth_session_key(struc
/* connection secret */
    ceph_decode_32_safe(p, end, len, e_inval);
+	ceph_decode_need(p, end, len, e_inval);
    dout("%s connection secret blob len %d\n", __func__, len);
    if (len > 0) {
    	dp = *p + ceph_x_encrypt_offset();
@@ -648,6 +649,7 @@ static int handle_auth_session_key(struc
/* service tickets */
    ceph_decode_32_safe(p, end, len, e_inval);
+	ceph_decode_need(p, end, len, e_inval);
    dout("%s service tickets blob len %d\n", __func__, len);
    if (len > 0) {
    	ret = ceph_x_proc_ticket_reply(ac, &th->session_key,

    

2025

2024

2023

2022

2021

2020

2019

2018

2017

[PATCH 6.17 140/146] libceph: prevent potential out-of-bounds writes in handle_auth_session_key()