libceph: NULL deref on crush_decode() error path
authorDan Carpenter <dan.carpenter@oracle.com>
Tue, 23 May 2017 14:25:10 +0000 (17:25 +0300)
committerIlya Dryomov <idryomov@gmail.com>
Tue, 23 May 2017 18:32:32 +0000 (20:32 +0200)
commit293dffaad8d500e1a5336eeb90d544cf40d4fbd8
tree1eb76ba55a52cc58f21125d01f9b33b6f220c0d5
parentb51456a6096ebf9f4ceb2cc7e176b471d4b70af0
libceph: NULL deref on crush_decode() error path

If there is not enough space then ceph_decode_32_safe() does a goto bad.
We need to return an error code in that situation.  The current code
returns ERR_PTR(0) which is NULL.  The callers are not expecting that
and it results in a NULL dereference.

Fixes: f24e9980eb86 ("ceph: OSD client")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
net/ceph/osdmap.c