linux-kernelorg-stable/net
Ilya Dryomov 8c73851271 libceph: make decode_pool() more resilient against corrupted osdmaps
If the osdmap is (maliciously) corrupted such that the encoded length
of ceph_pg_pool envelope is less than what is expected for a particular
encoding version, out-of-bounds reads may ensue because the only bounds
check that is there is based on that length value.

This patch adds explicit bounds checks for each field that is decoded
or skipped.

Cc: stable@vger.kernel.org
Reported-by: ziming zhang <ezrakiez@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Xiubo Li <xiubli@redhat.com>
Tested-by: ziming zhang <ezrakiez@gmail.com>
2025-12-10 11:50:54 +01:00
..
6lowpan
9p
802
8021q net: vlan: sync VLAN features with lower device 2025-10-31 17:42:35 -07:00
appletalk
atm net: atm: fix incorrect cleanup function call in error path 2025-11-20 18:09:49 -08:00
ax25
batman-adv Here is a batman-adv bugfix: 2025-10-27 18:00:54 -07:00
bluetooth Bluetooth: SMP: Fix not generating mackey and ltk when repairing 2025-11-20 17:02:07 -05:00
bpf
bridge net: bridge: fix MST static key usage 2025-11-06 07:32:17 -08:00
caif
can
ceph libceph: make decode_pool() more resilient against corrupted osdmaps 2025-12-10 11:50:54 +01:00
core net: core: prevent NULL deref in generic_hwtstamp_ioctl_lower() 2025-11-13 17:23:21 -08:00
dcb
devlink devlink: rate: Unset parent pointer in devl_rate_nodes_destroy 2025-11-18 17:12:21 -08:00
dns_resolver
dsa net: dsa: tag_brcm: do not mark link local traffic as offloaded 2025-11-10 17:04:19 -08:00
ethernet
ethtool
handshake net/handshake: Fix memory leak in tls_handshake_accept() 2025-11-10 17:53:47 -08:00
hsr hsr: Follow standard for HSRv0 supervision frames 2025-11-13 15:55:04 +01:00
ieee802154
ife
ipv4 ipsec-2025-11-18 2025-11-18 17:58:44 -08:00
ipv6 xfrm: Determine inner GSO type from packet inner protocol 2025-10-30 11:52:31 +01:00
iucv
kcm
key
l2tp l2tp: reset skb control buffer on xmit 2025-11-20 11:52:24 +01:00
l3mdev
lapb
llc
mac80211 wifi: mac80211: skip rate verification for not captured PSDUs 2025-11-11 09:25:17 +01:00
mac802154
mctp net: mctp: unconditionally set skb->dev on dst output 2025-11-27 11:39:12 +01:00
mpls
mptcp mptcp: Initialise rcv_mss before calling tcp_send_active_reset() in mptcp_do_fastclose(). 2025-11-27 13:10:16 +01:00
ncsi
netfilter netfilter: nft_ct: add seqadj extension for natted connections 2025-10-29 14:47:59 +01:00
netlabel
netlink
netrom
nfc
nsh
openvswitch net: openvswitch: remove never-working support for setting nsh fields 2025-11-14 18:13:24 -08:00
packet
phonet
psample
psp
qrtr
rds
rfkill
rose
rxrpc
sched linux-can-fixes-for-6.18-20251126 2025-11-26 19:56:00 -08:00
sctp sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto 2025-11-10 16:21:05 -08:00
shaper
smc net/smc: fix mismatch between CLC header and proposal 2025-11-10 17:52:09 -08:00
strparser strparser: Fix signed/unsigned mismatch bug 2025-11-07 18:17:16 -08:00
sunrpc nfsd-6.18 fixes: 2025-11-12 18:41:01 -08:00
switchdev
tipc tipc: Fix use-after-free in tipc_mon_reinit_self(). 2025-11-10 18:14:40 -08:00
tls net: tls: Cancel RX async resync request on rcd_delta overflow 2025-10-29 18:32:18 -07:00
unix af_unix: Read sk_peek_offset() again after sleeping in unix_stream_read_generic(). 2025-11-18 19:19:09 -08:00
vmw_vsock vsock: Ignore signal/timeout on connect() if already established 2025-11-20 07:40:06 -08:00
wireless wifi: cfg80211: add an hrtimer based delayed work item 2025-10-28 14:56:30 +01:00
x25
xdp xsk: avoid data corruption on cq descriptor number 2025-11-25 19:51:50 -08:00
xfrm ipsec-2025-11-18 2025-11-18 17:58:44 -08:00
Kconfig
Kconfig.debug
Makefile
compat.c
devres.c
socket.c
sysctl_net.c