oss-sec mailing list archives
CVE Request: libceph auth token overflow
From: Marcus Meissner <meissner () suse de>
Date: Mon, 15 Sep 2014 13:48:53 +0200
Hi, spotted by Brad, has no CVE id yet. https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c27a3e4d667fdcad3db7b104f75659478e0c68d8 libceph: do not hard code max auth ticket len We hard code cephx auth ticket buffer size to 256 bytes. This isn't enough for any moderate setups and, in case tickets themselves are not encrypted, leads to buffer overflows (ceph_x_decrypt() errors out, but ceph_decode_copy() doesn't - it's just a memcpy() wrapper). Since the buffer is allocated dynamically anyway, allocated it a bit later, at the point where we know how much is going to be needed. Fixes: http://tracker.ceph.com/issues/8979 Ciao, marcus
Current thread:
- CVE Request: libceph auth token overflow Marcus Meissner (Sep 15)
- Re: CVE Request: libceph auth token overflow / Linux kernel cve-assign (Sep 15)