From: Alex Elder <elder@inktank.com>
To: "ceph-devel@vger.kernel.org" <ceph-devel@vger.kernel.org>
Subject: [PATCH, v2] libceph: skip message if too big to receive
Date: Sat, 06 Apr 2013 15:42:06 -0500 [thread overview]
Message-ID: <5160889E.6080600@inktank.com> (raw)
In-Reply-To: <515F4DAB.8090805@inktank.com>
I found a bug in this and am posting the following
update. If a connection's alloc_msg() method sets
the skip flag, it will return with con->in_msg being
a null pointer. The original version of this would
dereference that pointer without checking, which
causes a crash. This version checks first.
(This and the updated patches that follow it are
available in the "review/wip-3761-4" branch of the
ceph-client git repository.)
-Alex
We know the length of our message buffers. If we get a message
that's too long, just dump it and ignore it. If skip was set
then con->in_msg won't be valid, so be careful not to dereference
a null pointer in the process.
This resolves:
http://tracker.ceph.com/issues/4664
Signed-off-by: Alex Elder <elder@inktank.com>
---
v2: make sure con->in_msg is valid before dereferencing it
net/ceph/messenger.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
index 994192b..cb5b4e6 100644
--- a/net/ceph/messenger.c
+++ b/net/ceph/messenger.c
@@ -2207,10 +2207,18 @@ static int read_partial_message(struct
ceph_connection *con)
ret = ceph_con_in_msg_alloc(con, &skip);
if (ret < 0)
return ret;
+
+ BUG_ON(!con->in_msg ^ skip);
+ if (con->in_msg && data_len > con->in_msg->data_length) {
+ pr_warning("%s skipping long message (%u > %zd)\n",
+ __func__, data_len, con->in_msg->data_length);
+ ceph_msg_put(con->in_msg);
+ con->in_msg = NULL;
+ skip = 1;
+ }
if (skip) {
/* skip this message */
dout("alloc_msg said skip message\n");
- BUG_ON(con->in_msg);
con->in_base_pos = -front_len - middle_len - data_len -
sizeof(m->footer);
con->in_tag = CEPH_MSGR_TAG_READY;
--
1.7.9.5
next prev parent reply other threads:[~2013-04-06 20:42 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-04-05 22:18 [PATCH] libceph: skip message if too big to receive Alex Elder
2013-04-06 20:42 ` Alex Elder [this message]
2013-04-09 0:36 ` [PATCH, v2] " Josh Durgin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5160889E.6080600@inktank.com \
--to=elder@inktank.com \
--cc=ceph-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.