1 files changed, 26 insertions, 4 deletions
diff --git a/fs/ceph/osdmap.c b/fs/ceph/osdmap.c
index 1d5f58cc2d93..e94c6fb2e2a4 100644
--- a/fs/ceph/osdmap.c
+++ b/fs/ceph/osdmap.c
@@ -424,12 +424,30 @@ static void __remove_pg_pool(struct rb_root *root, struct ceph_pg_pool_info *pi)
        kfree(pi);
 }
-static void __decode_pool(void **p, struct ceph_pg_pool_info *pi)
+static int __decode_pool(void **p, void *end, struct ceph_pg_pool_info *pi)
 {
+        unsigned n, m;
        ceph_decode_copy(p, &pi->v, sizeof(pi->v));
        calc_pg_masks(pi);
-        *p += le32_to_cpu(pi->v.num_snaps) * sizeof(u64);
+        /* num_snaps * snap_info_t */
+        n = le32_to_cpu(pi->v.num_snaps);
+        while (n--) {
+                ceph_decode_need(p, end, sizeof(u64) + 1 + sizeof(u64) +
+                                 sizeof(struct ceph_timespec), bad);
+                *p += sizeof(u64) +       /* key */
+                        1 + sizeof(u64) + /* u8, snapid */
+                        sizeof(struct ceph_timespec);
+                m = ceph_decode_32(p);    /* snap name */
+                *p += m;
+        }
        *p += le32_to_cpu(pi->v.num_removed_snap_intervals) * sizeof(u64) * 2;
+        return 0;
+bad:
+        return -EINVAL;
 }
 static int __decode_pool_names(void **p, void *end, struct ceph_osdmap *map)
@@ -571,7 +589,9 @@ struct ceph_osdmap *osdmap_decode(void **p, void *end)
                        kfree(pi);
                        goto bad;
                }
-                __decode_pool(p, pi);
+                err = __decode_pool(p, end, pi);
+                if (err < 0)
+                        goto bad;
                __insert_pg_pool(&map->pg_pools, pi);
        }
@@ -760,7 +780,9 @@ struct ceph_osdmap *osdmap_apply_incremental(void **p, void *end,
                        pi->id = pool;
                        __insert_pg_pool(&map->pg_pools, pi);
                }
-                __decode_pool(p, pi);
+                err = __decode_pool(p, end, pi);
+                if (err < 0)
+                        goto bad;
        }
        if (version >= 5 && __decode_pool_names(p, end, map) < 0)
                goto bad;

diff --git a/fs/ceph/osdmap.c b/fs/ceph/osdmap.c index 1d5f58cc2d93..e94c6fb2e2a4 100644 --- a/fs/ceph/osdmap.c +++ b/fs/ceph/osdmap.c
@@ -424,12 +424,30 @@ static void __remove_pg_pool(struct rb_root root, struct ceph_pg_pool_info pi)
424	kfree(pi);	424	kfree(pi);
425	}	425	}
426		426
427	static void __decode_pool(void *p, struct ceph_pg_pool_info pi)	427	static int __decode_pool(void *p, void end, struct ceph_pg_pool_info *pi)
428	{	428	{
		429	unsigned n, m;
		430
429	ceph_decode_copy(p, &pi->v, sizeof(pi->v));	431	ceph_decode_copy(p, &pi->v, sizeof(pi->v));
430	calc_pg_masks(pi);	432	calc_pg_masks(pi);
431	p += le32_to_cpu(pi->v.num_snaps) sizeof(u64);	433
		434	/* num_snaps * snap_info_t */
		435	n = le32_to_cpu(pi->v.num_snaps);
		436	while (n--) {
		437	ceph_decode_need(p, end, sizeof(u64) + 1 + sizeof(u64) +
		438	sizeof(struct ceph_timespec), bad);
		439	p += sizeof(u64) + / key */
		440	1 + sizeof(u64) + /* u8, snapid */
		441	sizeof(struct ceph_timespec);
		442	m = ceph_decode_32(p); /* snap name */
		443	*p += m;
		444	}
		445
432	p += le32_to_cpu(pi->v.num_removed_snap_intervals) sizeof(u64) * 2;	446	p += le32_to_cpu(pi->v.num_removed_snap_intervals) sizeof(u64) * 2;
		447	return 0;
		448
		449	bad:
		450	return -EINVAL;
433	}	451	}
434		452
435	static int __decode_pool_names(void *p, void end, struct ceph_osdmap *map)	453	static int __decode_pool_names(void *p, void end, struct ceph_osdmap *map)
@@ -571,7 +589,9 @@ struct ceph_osdmap osdmap_decode(void p, void end)
571	kfree(pi);	589	kfree(pi);
572	goto bad;	590	goto bad;
573	}	591	}
574	__decode_pool(p, pi);	592	err = __decode_pool(p, end, pi);
		593	if (err < 0)
		594	goto bad;
575	__insert_pg_pool(&map->pg_pools, pi);	595	__insert_pg_pool(&map->pg_pools, pi);
576	}	596	}
577		597
@@ -760,7 +780,9 @@ struct ceph_osdmap osdmap_apply_incremental(void p, void end,
760	pi->id = pool;	780	pi->id = pool;
761	__insert_pg_pool(&map->pg_pools, pi);	781	__insert_pg_pool(&map->pg_pools, pi);
762	}	782	}
763	__decode_pool(p, pi);	783	err = __decode_pool(p, end, pi);
		784	if (err < 0)
		785	goto bad;
764	}	786	}
765	if (version >= 5 && __decode_pool_names(p, end, map) < 0)	787	if (version >= 5 && __decode_pool_names(p, end, map) < 0)
766	goto bad;	788	goto bad;