rbd: expand rbd_dev_ondisk_valid() checks

Add checks on the validity of the snap_count and snap_names_len field values in rbd_dev_ondisk_valid(). This eliminates the need to do them in rbd_header_from_disk(). Signed-off-by: Alex Elder <elder@inktank.com> Reviewed-by: Josh Durgin <josh.durgin@inktank.com>
author: Alex Elder <elder@inktank.com> 2012-08-02 12:29:45 -0400
committer: Alex Elder <elder@inktank.com> 2012-10-01 15:30:48 -0400
commit: 103a150f0cc57576b1c4b80bf07af60a14349eee (patch)
tree: 792d889aa95fe748a7c402b5ac7d6af4c397bb80 /drivers/block
parent: 28cb775de1bd1bcc62c43f767ab81b7b9cfb6678 (diff)
1 files changed, 27 insertions, 9 deletions
diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
index aff4e8a01ea5..5bcd4ebb22e7 100644
--- a/drivers/block/rbd.c
+++ b/drivers/block/rbd.c
@@ -481,8 +481,31 @@ static void rbd_coll_release(struct kref *kref)
 static bool rbd_dev_ondisk_valid(struct rbd_image_header_ondisk *ondisk)
 {
-        return !memcmp(&ondisk->text,
+        size_t size;
-                        RBD_HEADER_TEXT, sizeof (RBD_HEADER_TEXT));
+        u32 snap_count;
+        /* The header has to start with the magic rbd header text */
+        if (memcmp(&ondisk->text, RBD_HEADER_TEXT, sizeof (RBD_HEADER_TEXT)))
+                return false;
+        /*
+         * The size of a snapshot header has to fit in a size_t, and
+         * that limits the number of snapshots.
+         */
+        snap_count = le32_to_cpu(ondisk->snap_count);
+        size = SIZE_MAX - sizeof (struct ceph_snap_context);
+        if (snap_count > size / sizeof (__le64))
+                return false;
+        /*
+         * Not only that, but the size of the entire the snapshot
+         * header must also be representable in a size_t.
+         */
+        size -= snap_count * sizeof (__le64);
+        if ((u64) size < le64_to_cpu(ondisk->snap_names_len))
+                return false;
+        return true;
 }
 /*
@@ -499,15 +522,10 @@ static int rbd_header_from_disk(struct rbd_image_header *header,
        if (!rbd_dev_ondisk_valid(ondisk))
                return -ENXIO;
-        snap_count = le32_to_cpu(ondisk->snap_count);
-        /* Make sure we don't overflow below */
-        size = SIZE_MAX - sizeof (struct ceph_snap_context);
-        if (snap_count > size / sizeof (header->snapc->snaps[0]))
-                return -EINVAL;
        memset(header, 0, sizeof (*header));
+        snap_count = le32_to_cpu(ondisk->snap_count);
        size = sizeof (ondisk->block_name) + 1;
        header->object_prefix = kmalloc(size, GFP_KERNEL);
        if (!header->object_prefix)
author	Alex Elder <elder@inktank.com>	2012-08-02 12:29:45 -0400
committer	Alex Elder <elder@inktank.com>	2012-10-01 15:30:48 -0400
commit	103a150f0cc57576b1c4b80bf07af60a14349eee (patch)
tree	792d889aa95fe748a7c402b5ac7d6af4c397bb80 /drivers/block
parent	28cb775de1bd1bcc62c43f767ab81b7b9cfb6678 (diff)

diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c index aff4e8a01ea5..5bcd4ebb22e7 100644 --- a/drivers/block/rbd.c +++ b/drivers/block/rbd.c
@@ -481,8 +481,31 @@ static void rbd_coll_release(struct kref *kref)
481		481
482	static bool rbd_dev_ondisk_valid(struct rbd_image_header_ondisk *ondisk)	482	static bool rbd_dev_ondisk_valid(struct rbd_image_header_ondisk *ondisk)
483	{	483	{
484	return !memcmp(&ondisk->text,	484	size_t size;
485	RBD_HEADER_TEXT, sizeof (RBD_HEADER_TEXT));	485	u32 snap_count;
		486
		487	/* The header has to start with the magic rbd header text */
		488	if (memcmp(&ondisk->text, RBD_HEADER_TEXT, sizeof (RBD_HEADER_TEXT)))
		489	return false;
		490
		491	/*
		492	* The size of a snapshot header has to fit in a size_t, and
		493	* that limits the number of snapshots.
		494	*/
		495	snap_count = le32_to_cpu(ondisk->snap_count);
		496	size = SIZE_MAX - sizeof (struct ceph_snap_context);
		497	if (snap_count > size / sizeof (__le64))
		498	return false;
		499
		500	/*
		501	* Not only that, but the size of the entire the snapshot
		502	* header must also be representable in a size_t.
		503	*/
		504	size -= snap_count * sizeof (__le64);
		505	if ((u64) size < le64_to_cpu(ondisk->snap_names_len))
		506	return false;
		507
		508	return true;
486	}	509	}
487		510
488	/*	511	/*
@@ -499,15 +522,10 @@ static int rbd_header_from_disk(struct rbd_image_header *header,
499	if (!rbd_dev_ondisk_valid(ondisk))	522	if (!rbd_dev_ondisk_valid(ondisk))
500	return -ENXIO;	523	return -ENXIO;
501		524
502	snap_count = le32_to_cpu(ondisk->snap_count);
503
504	/* Make sure we don't overflow below */
505	size = SIZE_MAX - sizeof (struct ceph_snap_context);
506	if (snap_count > size / sizeof (header->snapc->snaps[0]))
507	return -EINVAL;
508
509	memset(header, 0, sizeof (*header));	525	memset(header, 0, sizeof (*header));
510		526
		527	snap_count = le32_to_cpu(ondisk->snap_count);
		528
511	size = sizeof (ondisk->block_name) + 1;	529	size = sizeof (ondisk->block_name) + 1;
512	header->object_prefix = kmalloc(size, GFP_KERNEL);	530	header->object_prefix = kmalloc(size, GFP_KERNEL);
513	if (!header->object_prefix)	531	if (!header->object_prefix)