libceph: skip message if too big to receive

We know the length of our message buffers.  If we get a message
that's too long, just dump it and ignore it.  If skip was set
then con->in_msg won't be valid, so be careful not to dereference
a null pointer in the process.

This resolves:
    http://tracker.ceph.com/issues/4664

Signed-off-by: Alex Elder <elder@inktank.com>
Reviewed-by: Josh Durgin <josh.durgin@inktank.com>

1 files changed, 9 insertions, 1 deletions

diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
index 994192beda02..cb5b4e6733f0 100644
--- a/net/ceph/messenger.c
+++ b/net/ceph/messenger.c
@@ -2207,10 +2207,18 @@ static int read_partial_message(struct ceph_connection *con)
                 ret = ceph_con_in_msg_alloc(con, &skip);
                 if (ret < 0)
                         return ret;
+
+                BUG_ON(!con->in_msg ^ skip);
+                if (con->in_msg && data_len > con->in_msg->data_length) {
+                        pr_warning("%s skipping long message (%u > %zd)\n",
+                                __func__, data_len, con->in_msg->data_length);
+                        ceph_msg_put(con->in_msg);
+                        con->in_msg = NULL;
+                        skip = 1;
+                }
                 if (skip) {
                         /* skip this message */
                         dout("alloc_msg said skip message\n");
-                        BUG_ON(con->in_msg);
                         con->in_base_pos = -front_len - middle_len - data_len -
                                 sizeof(m->footer);
                         con->in_tag = CEPH_MSGR_TAG_READY;