diff options
author | Al Viro <viro@zeniv.linux.org.uk> | 2008-01-25 19:55:09 -0500 |
---|---|---|
committer | David Teigland <teigland@redhat.com> | 2008-02-04 02:25:09 -0500 |
commit | ae773d0b74bf2244887a6d0504372748381ab9c7 (patch) | |
tree | 43862e0dea715b3d07c4a456e35e4b67525c973b /fs/dlm/rcom.c | |
parent | cd9df1aac346f1c7f592739d092ff710c27bbcde (diff) |
dlm: verify that places expecting rcom_lock have packet long enough
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David Teigland <teigland@redhat.com>
Diffstat (limited to 'fs/dlm/rcom.c')
-rw-r--r-- | fs/dlm/rcom.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/fs/dlm/rcom.c b/fs/dlm/rcom.c index a312f1d97f8b..ef9d0f918492 100644 --- a/fs/dlm/rcom.c +++ b/fs/dlm/rcom.c | |||
@@ -357,6 +357,7 @@ int dlm_send_rcom_lock(struct dlm_rsb *r, struct dlm_lkb *lkb) | |||
357 | return error; | 357 | return error; |
358 | } | 358 | } |
359 | 359 | ||
360 | /* needs at least dlm_rcom + rcom_lock */ | ||
360 | static void receive_rcom_lock(struct dlm_ls *ls, struct dlm_rcom *rc_in) | 361 | static void receive_rcom_lock(struct dlm_ls *ls, struct dlm_rcom *rc_in) |
361 | { | 362 | { |
362 | struct dlm_rcom *rc; | 363 | struct dlm_rcom *rc; |
@@ -448,6 +449,8 @@ static int is_old_reply(struct dlm_ls *ls, struct dlm_rcom *rc) | |||
448 | 449 | ||
449 | void dlm_receive_rcom(struct dlm_ls *ls, struct dlm_rcom *rc, int nodeid) | 450 | void dlm_receive_rcom(struct dlm_ls *ls, struct dlm_rcom *rc, int nodeid) |
450 | { | 451 | { |
452 | int lock_size = sizeof(struct dlm_rcom) + sizeof(struct rcom_lock); | ||
453 | |||
451 | if (dlm_recovery_stopped(ls) && (rc->rc_type != DLM_RCOM_STATUS)) { | 454 | if (dlm_recovery_stopped(ls) && (rc->rc_type != DLM_RCOM_STATUS)) { |
452 | log_debug(ls, "ignoring recovery message %x from %d", | 455 | log_debug(ls, "ignoring recovery message %x from %d", |
453 | rc->rc_type, nodeid); | 456 | rc->rc_type, nodeid); |
@@ -471,6 +474,8 @@ void dlm_receive_rcom(struct dlm_ls *ls, struct dlm_rcom *rc, int nodeid) | |||
471 | break; | 474 | break; |
472 | 475 | ||
473 | case DLM_RCOM_LOCK: | 476 | case DLM_RCOM_LOCK: |
477 | if (rc->rc_header.h_length < lock_size) | ||
478 | goto Eshort; | ||
474 | receive_rcom_lock(ls, rc); | 479 | receive_rcom_lock(ls, rc); |
475 | break; | 480 | break; |
476 | 481 | ||
@@ -487,13 +492,18 @@ void dlm_receive_rcom(struct dlm_ls *ls, struct dlm_rcom *rc, int nodeid) | |||
487 | break; | 492 | break; |
488 | 493 | ||
489 | case DLM_RCOM_LOCK_REPLY: | 494 | case DLM_RCOM_LOCK_REPLY: |
495 | if (rc->rc_header.h_length < lock_size) | ||
496 | goto Eshort; | ||
490 | dlm_recover_process_copy(ls, rc); | 497 | dlm_recover_process_copy(ls, rc); |
491 | break; | 498 | break; |
492 | 499 | ||
493 | default: | 500 | default: |
494 | log_error(ls, "receive_rcom bad type %d", rc->rc_type); | 501 | log_error(ls, "receive_rcom bad type %d", rc->rc_type); |
495 | } | 502 | } |
496 | out: | 503 | out: |
497 | return; | 504 | return; |
505 | Eshort: | ||
506 | log_error(ls, "recovery message %x from %d is too short", | ||
507 | rc->rc_type, nodeid); | ||
498 | } | 508 | } |
499 | 509 | ||