libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()

Raphael Zimmer · gregkh · commit 4b2738b93eda · 2026-05-17T17:13:30.000+02:00
commit 5199c12 upstream. If a message of type CEPH_MSG_AUTH_REPLY contains a zero value for both protocol and result, this is currently not treated as an error. In case of ac->negotiating == true and ac->protocol > 0, this leads to setting ac->protocol = 0 and ac->ops = NULL. Thereafter, the check for ac->protocol != protocol returns false, and init_protocol() is not called. Subsequently, ac->ops->handle_reply() is called, which leads to a null pointer dereference, because ac->ops is still NULL. This patch changes the check for ac->protocol != protocol to !ac->protocol, as this also includes the case when the protocol was set to zero in the message. This causes the message to be treated as containing a bad auth protocol. Cc: stable@vger.kernel.org Signed-off-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de> Reviewed-by: Ilya Dryomov <idryomov@gmail.com> Signed-off-by: Ilya Dryomov <idryomov@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/net/ceph/auth.c b/net/ceph/auth.c
@@ -245,7 +245,7 @@ int ceph_handle_auth_reply(struct ceph_auth_client *ac,
 			ac->protocol = 0;
 			ac->ops = NULL;
 		}
-		if (ac->protocol != protocol) {
+		if (!ac->protocol) {
 			ret = init_protocol(ac, protocol);
 			if (ret) {
 				pr_err("auth protocol '%s' init failed: %d\n",

Original file line number	Diff line number	Diff line change
`@@ -245,7 +245,7 @@ int ceph_handle_auth_reply(struct ceph_auth_client *ac,`
`245`	`245`	`ac->protocol = 0;`
`246`	`246`	`ac->ops = NULL;`
`247`	`247`	`}`
`248`		`- if (ac->protocol != protocol) {`
	`248`	`+ if (!ac->protocol) {`
`249`	`249`	`ret = init_protocol(ac, protocol);`
`250`	`250`	`if (ret) {`
`251`	`251`	`pr_err("auth protocol '%s' init failed: %d\n",`