rbd: prevent bytes transferred overflow

In rbd_obj_read_sync(), verify the number of bytes transferred won't exceed what can be represented by a size_t before using it to indicate the number of bytes to copy to the result buffer. (The real motivation for this is to prepare for the next patch.) Signed-off-by: Alex Elder <elder@inktank.com> Reviewed-by: Josh Durgin <josh.durgin@inktank.com>
author: Alex Elder <elder@inktank.com> 2013-02-06 14:11:38 -0500
committer: Alex Elder <elder@inktank.com> 2013-02-19 20:14:04 -0500
commit: 1ceae7ef0fd00c965a2257c6e9eb497ca91f01c7 (patch)
tree: 092a10e88f4503fb41495157d8ea0ad70760bdf8 /drivers/block
parent: b324814e8436772cb3367b14149ba003a9954525 (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
index 09514d9d8a97..93369a1a08e1 100644
--- a/drivers/block/rbd.c
+++ b/drivers/block/rbd.c
@@ -2048,6 +2048,7 @@ static int rbd_obj_read_sync(struct rbd_device *rbd_dev,
        struct ceph_osd_client *osdc;
        struct page **pages = NULL;
        u32 page_count;
+        size_t size;
        int ret;
        page_count = (u32) calc_pages_for(offset, length);
@@ -2084,7 +2085,10 @@ static int rbd_obj_read_sync(struct rbd_device *rbd_dev,
        ret = obj_request->result;
        if (ret < 0)
                goto out;
-        ret = ceph_copy_from_page_vector(pages, buf, 0, obj_request->xferred);
+        rbd_assert(obj_request->xferred <= (u64) SIZE_MAX);
+        size = (size_t) obj_request->xferred;
+        ret = ceph_copy_from_page_vector(pages, buf, 0, size);
        if (version)
                *version = obj_request->version;
 out:
author	Alex Elder <elder@inktank.com>	2013-02-06 14:11:38 -0500
committer	Alex Elder <elder@inktank.com>	2013-02-19 20:14:04 -0500
commit	1ceae7ef0fd00c965a2257c6e9eb497ca91f01c7 (patch)
tree	092a10e88f4503fb41495157d8ea0ad70760bdf8 /drivers/block
parent	b324814e8436772cb3367b14149ba003a9954525 (diff)

diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c index 09514d9d8a97..93369a1a08e1 100644 --- a/drivers/block/rbd.c +++ b/drivers/block/rbd.c
@@ -2048,6 +2048,7 @@ static int rbd_obj_read_sync(struct rbd_device *rbd_dev,
2048	struct ceph_osd_client *osdc;	2048	struct ceph_osd_client *osdc;
2049	struct page **pages = NULL;	2049	struct page **pages = NULL;
2050	u32 page_count;	2050	u32 page_count;
		2051	size_t size;
2051	int ret;	2052	int ret;
2052		2053
2053	page_count = (u32) calc_pages_for(offset, length);	2054	page_count = (u32) calc_pages_for(offset, length);
@@ -2084,7 +2085,10 @@ static int rbd_obj_read_sync(struct rbd_device *rbd_dev,
2084	ret = obj_request->result;	2085	ret = obj_request->result;
2085	if (ret < 0)	2086	if (ret < 0)
2086	goto out;	2087	goto out;
2087	ret = ceph_copy_from_page_vector(pages, buf, 0, obj_request->xferred);	2088
		2089	rbd_assert(obj_request->xferred <= (u64) SIZE_MAX);
		2090	size = (size_t) obj_request->xferred;
		2091	ret = ceph_copy_from_page_vector(pages, buf, 0, size);
2088	if (version)	2092	if (version)
2089	*version = obj_request->version;	2093	*version = obj_request->version;
2090	out:	2094	out: