diff options
author | Al Viro <viro@zeniv.linux.org.uk> | 2008-01-25 19:55:09 -0500 |
---|---|---|
committer | David Teigland <teigland@redhat.com> | 2008-02-04 02:25:09 -0500 |
commit | ae773d0b74bf2244887a6d0504372748381ab9c7 (patch) | |
tree | 43862e0dea715b3d07c4a456e35e4b67525c973b | |
parent | cd9df1aac346f1c7f592739d092ff710c27bbcde (diff) |
dlm: verify that places expecting rcom_lock have packet long enough
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David Teigland <teigland@redhat.com>
-rw-r--r-- | fs/dlm/lock.c | 3 | ||||
-rw-r--r-- | fs/dlm/rcom.c | 12 |
2 files changed, 14 insertions, 1 deletions
diff --git a/fs/dlm/lock.c b/fs/dlm/lock.c index 75176b58ae04..6c605fc10613 100644 --- a/fs/dlm/lock.c +++ b/fs/dlm/lock.c | |||
@@ -4266,6 +4266,7 @@ static struct dlm_lkb *search_remid(struct dlm_rsb *r, int nodeid, | |||
4266 | return NULL; | 4266 | return NULL; |
4267 | } | 4267 | } |
4268 | 4268 | ||
4269 | /* needs at least dlm_rcom + rcom_lock */ | ||
4269 | static int receive_rcom_lock_args(struct dlm_ls *ls, struct dlm_lkb *lkb, | 4270 | static int receive_rcom_lock_args(struct dlm_ls *ls, struct dlm_lkb *lkb, |
4270 | struct dlm_rsb *r, struct dlm_rcom *rc) | 4271 | struct dlm_rsb *r, struct dlm_rcom *rc) |
4271 | { | 4272 | { |
@@ -4315,6 +4316,7 @@ static int receive_rcom_lock_args(struct dlm_ls *ls, struct dlm_lkb *lkb, | |||
4315 | the given values and send back our lkid. We send back our lkid by sending | 4316 | the given values and send back our lkid. We send back our lkid by sending |
4316 | back the rcom_lock struct we got but with the remid field filled in. */ | 4317 | back the rcom_lock struct we got but with the remid field filled in. */ |
4317 | 4318 | ||
4319 | /* needs at least dlm_rcom + rcom_lock */ | ||
4318 | int dlm_recover_master_copy(struct dlm_ls *ls, struct dlm_rcom *rc) | 4320 | int dlm_recover_master_copy(struct dlm_ls *ls, struct dlm_rcom *rc) |
4319 | { | 4321 | { |
4320 | struct rcom_lock *rl = (struct rcom_lock *) rc->rc_buf; | 4322 | struct rcom_lock *rl = (struct rcom_lock *) rc->rc_buf; |
@@ -4370,6 +4372,7 @@ int dlm_recover_master_copy(struct dlm_ls *ls, struct dlm_rcom *rc) | |||
4370 | return error; | 4372 | return error; |
4371 | } | 4373 | } |
4372 | 4374 | ||
4375 | /* needs at least dlm_rcom + rcom_lock */ | ||
4373 | int dlm_recover_process_copy(struct dlm_ls *ls, struct dlm_rcom *rc) | 4376 | int dlm_recover_process_copy(struct dlm_ls *ls, struct dlm_rcom *rc) |
4374 | { | 4377 | { |
4375 | struct rcom_lock *rl = (struct rcom_lock *) rc->rc_buf; | 4378 | struct rcom_lock *rl = (struct rcom_lock *) rc->rc_buf; |
diff --git a/fs/dlm/rcom.c b/fs/dlm/rcom.c index a312f1d97f8b..ef9d0f918492 100644 --- a/fs/dlm/rcom.c +++ b/fs/dlm/rcom.c | |||
@@ -357,6 +357,7 @@ int dlm_send_rcom_lock(struct dlm_rsb *r, struct dlm_lkb *lkb) | |||
357 | return error; | 357 | return error; |
358 | } | 358 | } |
359 | 359 | ||
360 | /* needs at least dlm_rcom + rcom_lock */ | ||
360 | static void receive_rcom_lock(struct dlm_ls *ls, struct dlm_rcom *rc_in) | 361 | static void receive_rcom_lock(struct dlm_ls *ls, struct dlm_rcom *rc_in) |
361 | { | 362 | { |
362 | struct dlm_rcom *rc; | 363 | struct dlm_rcom *rc; |
@@ -448,6 +449,8 @@ static int is_old_reply(struct dlm_ls *ls, struct dlm_rcom *rc) | |||
448 | 449 | ||
449 | void dlm_receive_rcom(struct dlm_ls *ls, struct dlm_rcom *rc, int nodeid) | 450 | void dlm_receive_rcom(struct dlm_ls *ls, struct dlm_rcom *rc, int nodeid) |
450 | { | 451 | { |
452 | int lock_size = sizeof(struct dlm_rcom) + sizeof(struct rcom_lock); | ||
453 | |||
451 | if (dlm_recovery_stopped(ls) && (rc->rc_type != DLM_RCOM_STATUS)) { | 454 | if (dlm_recovery_stopped(ls) && (rc->rc_type != DLM_RCOM_STATUS)) { |
452 | log_debug(ls, "ignoring recovery message %x from %d", | 455 | log_debug(ls, "ignoring recovery message %x from %d", |
453 | rc->rc_type, nodeid); | 456 | rc->rc_type, nodeid); |
@@ -471,6 +474,8 @@ void dlm_receive_rcom(struct dlm_ls *ls, struct dlm_rcom *rc, int nodeid) | |||
471 | break; | 474 | break; |
472 | 475 | ||
473 | case DLM_RCOM_LOCK: | 476 | case DLM_RCOM_LOCK: |
477 | if (rc->rc_header.h_length < lock_size) | ||
478 | goto Eshort; | ||
474 | receive_rcom_lock(ls, rc); | 479 | receive_rcom_lock(ls, rc); |
475 | break; | 480 | break; |
476 | 481 | ||
@@ -487,13 +492,18 @@ void dlm_receive_rcom(struct dlm_ls *ls, struct dlm_rcom *rc, int nodeid) | |||
487 | break; | 492 | break; |
488 | 493 | ||
489 | case DLM_RCOM_LOCK_REPLY: | 494 | case DLM_RCOM_LOCK_REPLY: |
495 | if (rc->rc_header.h_length < lock_size) | ||
496 | goto Eshort; | ||
490 | dlm_recover_process_copy(ls, rc); | 497 | dlm_recover_process_copy(ls, rc); |
491 | break; | 498 | break; |
492 | 499 | ||
493 | default: | 500 | default: |
494 | log_error(ls, "receive_rcom bad type %d", rc->rc_type); | 501 | log_error(ls, "receive_rcom bad type %d", rc->rc_type); |
495 | } | 502 | } |
496 | out: | 503 | out: |
497 | return; | 504 | return; |
505 | Eshort: | ||
506 | log_error(ls, "recovery message %x from %d is too short", | ||
507 | rc->rc_type, nodeid); | ||
498 | } | 508 | } |
499 | 509 | ||