aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAl Viro <viro@zeniv.linux.org.uk>2008-01-25 19:55:09 -0500
committerDavid Teigland <teigland@redhat.com>2008-02-04 02:25:09 -0500
commitae773d0b74bf2244887a6d0504372748381ab9c7 (patch)
tree43862e0dea715b3d07c4a456e35e4b67525c973b
parentcd9df1aac346f1c7f592739d092ff710c27bbcde (diff)
dlm: verify that places expecting rcom_lock have packet long enough
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David Teigland <teigland@redhat.com>
-rw-r--r--fs/dlm/lock.c3
-rw-r--r--fs/dlm/rcom.c12
2 files changed, 14 insertions, 1 deletions
diff --git a/fs/dlm/lock.c b/fs/dlm/lock.c
index 75176b58ae04..6c605fc10613 100644
--- a/fs/dlm/lock.c
+++ b/fs/dlm/lock.c
@@ -4266,6 +4266,7 @@ static struct dlm_lkb *search_remid(struct dlm_rsb *r, int nodeid,
4266 return NULL; 4266 return NULL;
4267} 4267}
4268 4268
4269/* needs at least dlm_rcom + rcom_lock */
4269static int receive_rcom_lock_args(struct dlm_ls *ls, struct dlm_lkb *lkb, 4270static int receive_rcom_lock_args(struct dlm_ls *ls, struct dlm_lkb *lkb,
4270 struct dlm_rsb *r, struct dlm_rcom *rc) 4271 struct dlm_rsb *r, struct dlm_rcom *rc)
4271{ 4272{
@@ -4315,6 +4316,7 @@ static int receive_rcom_lock_args(struct dlm_ls *ls, struct dlm_lkb *lkb,
4315 the given values and send back our lkid. We send back our lkid by sending 4316 the given values and send back our lkid. We send back our lkid by sending
4316 back the rcom_lock struct we got but with the remid field filled in. */ 4317 back the rcom_lock struct we got but with the remid field filled in. */
4317 4318
4319/* needs at least dlm_rcom + rcom_lock */
4318int dlm_recover_master_copy(struct dlm_ls *ls, struct dlm_rcom *rc) 4320int dlm_recover_master_copy(struct dlm_ls *ls, struct dlm_rcom *rc)
4319{ 4321{
4320 struct rcom_lock *rl = (struct rcom_lock *) rc->rc_buf; 4322 struct rcom_lock *rl = (struct rcom_lock *) rc->rc_buf;
@@ -4370,6 +4372,7 @@ int dlm_recover_master_copy(struct dlm_ls *ls, struct dlm_rcom *rc)
4370 return error; 4372 return error;
4371} 4373}
4372 4374
4375/* needs at least dlm_rcom + rcom_lock */
4373int dlm_recover_process_copy(struct dlm_ls *ls, struct dlm_rcom *rc) 4376int dlm_recover_process_copy(struct dlm_ls *ls, struct dlm_rcom *rc)
4374{ 4377{
4375 struct rcom_lock *rl = (struct rcom_lock *) rc->rc_buf; 4378 struct rcom_lock *rl = (struct rcom_lock *) rc->rc_buf;
diff --git a/fs/dlm/rcom.c b/fs/dlm/rcom.c
index a312f1d97f8b..ef9d0f918492 100644
--- a/fs/dlm/rcom.c
+++ b/fs/dlm/rcom.c
@@ -357,6 +357,7 @@ int dlm_send_rcom_lock(struct dlm_rsb *r, struct dlm_lkb *lkb)
357 return error; 357 return error;
358} 358}
359 359
360/* needs at least dlm_rcom + rcom_lock */
360static void receive_rcom_lock(struct dlm_ls *ls, struct dlm_rcom *rc_in) 361static void receive_rcom_lock(struct dlm_ls *ls, struct dlm_rcom *rc_in)
361{ 362{
362 struct dlm_rcom *rc; 363 struct dlm_rcom *rc;
@@ -448,6 +449,8 @@ static int is_old_reply(struct dlm_ls *ls, struct dlm_rcom *rc)
448 449
449void dlm_receive_rcom(struct dlm_ls *ls, struct dlm_rcom *rc, int nodeid) 450void dlm_receive_rcom(struct dlm_ls *ls, struct dlm_rcom *rc, int nodeid)
450{ 451{
452 int lock_size = sizeof(struct dlm_rcom) + sizeof(struct rcom_lock);
453
451 if (dlm_recovery_stopped(ls) && (rc->rc_type != DLM_RCOM_STATUS)) { 454 if (dlm_recovery_stopped(ls) && (rc->rc_type != DLM_RCOM_STATUS)) {
452 log_debug(ls, "ignoring recovery message %x from %d", 455 log_debug(ls, "ignoring recovery message %x from %d",
453 rc->rc_type, nodeid); 456 rc->rc_type, nodeid);
@@ -471,6 +474,8 @@ void dlm_receive_rcom(struct dlm_ls *ls, struct dlm_rcom *rc, int nodeid)
471 break; 474 break;
472 475
473 case DLM_RCOM_LOCK: 476 case DLM_RCOM_LOCK:
477 if (rc->rc_header.h_length < lock_size)
478 goto Eshort;
474 receive_rcom_lock(ls, rc); 479 receive_rcom_lock(ls, rc);
475 break; 480 break;
476 481
@@ -487,13 +492,18 @@ void dlm_receive_rcom(struct dlm_ls *ls, struct dlm_rcom *rc, int nodeid)
487 break; 492 break;
488 493
489 case DLM_RCOM_LOCK_REPLY: 494 case DLM_RCOM_LOCK_REPLY:
495 if (rc->rc_header.h_length < lock_size)
496 goto Eshort;
490 dlm_recover_process_copy(ls, rc); 497 dlm_recover_process_copy(ls, rc);
491 break; 498 break;
492 499
493 default: 500 default:
494 log_error(ls, "receive_rcom bad type %d", rc->rc_type); 501 log_error(ls, "receive_rcom bad type %d", rc->rc_type);
495 } 502 }
496 out: 503out:
497 return; 504 return;
505Eshort:
506 log_error(ls, "recovery message %x from %d is too short",
507 rc->rc_type, nodeid);
498} 508}
499 509