1 files changed, 87 insertions, 0 deletions

diff --git a/sys-cluster/ceph/files/ceph-CVE-2016-5009.patch b/sys-cluster/ceph/files/ceph-CVE-2016-5009.patch
new file mode 100644
index 000000000000..1528dadbe9d1
--- /dev/null
+++ b/sys-cluster/ceph/files/ceph-CVE-2016-5009.patch
@@ -0,0 +1,87 @@
+diff --git a/src/mon/Monitor.cc b/src/mon/Monitor.cc
+index 10c8bfc..98843d7 100644
+--- a/src/mon/Monitor.cc
++++ b/src/mon/Monitor.cc
+@@ -2631,7 +2631,19 @@ void Monitor::handle_command(MonOpRequestRef op)
+     return;
+   }
+ 
+-  cmd_getval(g_ceph_context, cmdmap, "prefix", prefix);
++  // check return value. If no prefix parameter provided,
++  // return value will be false, then return error info.
++  if(!cmd_getval(g_ceph_context, cmdmap, "prefix", prefix)) {
++    reply_command(op, -EINVAL, "command prefix not found", 0);
++    return;
++  }
++
++  // check prefix is empty
++  if (prefix.empty()) {
++    reply_command(op, -EINVAL, "command prefix must not be empty", 0);
++    return;
++  }
++
+   if (prefix == "get_command_descriptions") {
+     bufferlist rdata;
+     Formatter *f = Formatter::create("json");
+@@ -2652,6 +2664,15 @@ void Monitor::handle_command(MonOpRequestRef op)
+   boost::scoped_ptr<Formatter> f(Formatter::create(format));
+ 
+   get_str_vec(prefix, fullcmd);
++
++  // make sure fullcmd is not empty.
++  // invalid prefix will cause empty vector fullcmd.
++  // such as, prefix=";,,;"
++  if (fullcmd.empty()) {
++    reply_command(op, -EINVAL, "command requires a prefix to be valid", 0);
++    return;
++  }
++
+   module = fullcmd[0];
+ 
+   // validate command is in leader map
+diff --git a/src/test/librados/cmd.cc b/src/test/librados/cmd.cc
+index 9261fb5..878a8af 100644
+--- a/src/test/librados/cmd.cc
++++ b/src/test/librados/cmd.cc
+@@ -48,6 +48,41 @@ TEST(LibRadosCmd, MonDescribe) {
+   rados_buffer_free(buf);
+   rados_buffer_free(st);
+ 
++  cmd[0] = (char *)"";
++  ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "{}", 2, &buf, &buflen, &st, &stlen));
++  rados_buffer_free(buf);
++  rados_buffer_free(st);
++
++  cmd[0] = (char *)"{}";
++  ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, &buf, &buflen, &st, &stlen));
++  rados_buffer_free(buf);
++  rados_buffer_free(st);
++
++  cmd[0] = (char *)"{\"abc\":\"something\"}";
++  ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, &buf, &buflen, &st, &stlen));
++  rados_buffer_free(buf);
++  rados_buffer_free(st);
++
++  cmd[0] = (char *)"{\"prefix\":\"\"}";
++  ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, &buf, &buflen, &st, &stlen));
++  rados_buffer_free(buf);
++  rados_buffer_free(st);
++
++  cmd[0] = (char *)"{\"prefix\":\"    \"}";
++  ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, &buf, &buflen, &st, &stlen));
++  rados_buffer_free(buf);
++  rados_buffer_free(st);
++
++  cmd[0] = (char *)"{\"prefix\":\";;;,,,;;,,\"}";
++  ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, &buf, &buflen, &st, &stlen));
++  rados_buffer_free(buf);
++  rados_buffer_free(st);
++
++  cmd[0] = (char *)"{\"prefix\":\"extra command\"}";
++  ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, &buf, &buflen, &st, &stlen));
++  rados_buffer_free(buf);
++  rados_buffer_free(st);
++
+   cmd[0] = (char *)"{\"prefix\":\"mon_status\"}";
+   ASSERT_EQ(0, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, &buf, &buflen, &st, &stlen));
+   ASSERT_LT(0u, buflen);