From: Alex Elder <elder@inktank.com>
To: "ceph-devel@vger.kernel.org" <ceph-devel@vger.kernel.org>
Subject: [PATCH 3/4] rbd: expand rbd_dev_ondisk_valid() checks
Date: Mon, 06 Aug 2012 11:17:50 -0700 [thread overview]
Message-ID: <50200A4E.9050901@inktank.com> (raw)
In-Reply-To: <502009D1.7090005@inktank.com>
Add checks on the validity of the snap_count and snap_names_len
field values in rbd_dev_ondisk_valid(). This eliminates the
need to do them in rbd_header_from_disk().
Signed-off-by: Alex Elder <elder@inktank.com>
---
drivers/block/rbd.c | 36 +++++++++++++++++++++++++++---------
1 file changed, 27 insertions(+), 9 deletions(-)
Index: b/drivers/block/rbd.c
===================================================================
--- a/drivers/block/rbd.c
+++ b/drivers/block/rbd.c
@@ -482,8 +482,31 @@ static void rbd_coll_release(struct kref
static bool rbd_dev_ondisk_valid(struct rbd_image_header_ondisk *ondisk)
{
- return !memcmp(&ondisk->text,
- RBD_HEADER_TEXT, sizeof (RBD_HEADER_TEXT));
+ size_t size;
+ u32 snap_count;
+
+ /* The header has to start with the magic rbd header text */
+ if (memcmp(&ondisk->text, RBD_HEADER_TEXT, sizeof (RBD_HEADER_TEXT)))
+ return false;
+
+ /*
+ * The size of a snapshot header has to fit in a size_t, and
+ * that valid limits the number of snapshots.
+ */
+ snap_count = le32_to_cpu(ondisk->snap_count);
+ size = SIZE_MAX - sizeof (struct ceph_snap_context);
+ if (snap_count > size / sizeof (__le64))
+ return false;
+
+ /*
+ * Not only that, but the size of the entire the snapshot
+ * header must also be representable in a size_t.
+ */
+ size -= snap_count * sizeof (__le64);
+ if ((u64) size < le64_to_cpu(ondisk->snap_names_len))
+ return false;
+
+ return true;
}
/*
@@ -500,15 +523,10 @@ static int rbd_header_from_disk(struct r
if (!rbd_dev_ondisk_valid(ondisk))
return -ENXIO;
- snap_count = le32_to_cpu(ondisk->snap_count);
-
- /* Make sure we don't overflow below */
- size = SIZE_MAX - sizeof (struct ceph_snap_context);
- if (snap_count > size / sizeof (header->snapc->snaps[0]))
- return -EINVAL;
-
memset(header, 0, sizeof (*header));
+ snap_count = le32_to_cpu(ondisk->snap_count);
+
size = sizeof (ondisk->block_name) + 1;
header->object_prefix = kmalloc(size, GFP_KERNEL);
if (!header->object_prefix)
next prev parent reply other threads:[~2012-08-06 18:17 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-06 18:15 [PATCH 0/4] rbd: separate reading from interpreting rbd header Alex Elder
2012-08-06 18:17 ` [PATCH 1/4] rbd: rearrange rbd_header_from_disk() Alex Elder
2012-08-08 0:29 ` Josh Durgin
2012-08-06 18:17 ` [PATCH 2/4] rbd: return earlier in rbd_header_from_disk() Alex Elder
2012-08-08 0:29 ` Josh Durgin
2012-08-06 18:17 ` Alex Elder [this message]
2012-08-08 0:31 ` [PATCH 3/4] rbd: expand rbd_dev_ondisk_valid() checks Josh Durgin
2012-08-06 18:17 ` [PATCH 4/4] rbd: separate reading header from decoding it Alex Elder
2012-08-08 0:58 ` Josh Durgin
2012-08-08 2:16 ` Alex Elder
2012-08-08 4:05 ` Josh Durgin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50200A4E.9050901@inktank.com \
--to=elder@inktank.com \
--cc=ceph-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.