| Message ID | 50200A4E.9050901@inktank.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On 08/06/2012 11:17 AM, Alex Elder wrote: > Add checks on the validity of the snap_count and snap_names_len > field values in rbd_dev_ondisk_valid(). This eliminates the > need to do them in rbd_header_from_disk(). > > Signed-off-by: Alex Elder <elder@inktank.com> Just a small typo below. Looks good otherwise: Reviewed-by: Josh Durgin <josh.durgin@inktank.com> > --- > drivers/block/rbd.c | 36 +++++++++++++++++++++++++++--------- > 1 file changed, 27 insertions(+), 9 deletions(-) > > Index: b/drivers/block/rbd.c > =================================================================== > --- a/drivers/block/rbd.c > +++ b/drivers/block/rbd.c > @@ -482,8 +482,31 @@ static void rbd_coll_release(struct kref > > static bool rbd_dev_ondisk_valid(struct rbd_image_header_ondisk *ondisk) > { > - return !memcmp(&ondisk->text, > - RBD_HEADER_TEXT, sizeof (RBD_HEADER_TEXT)); > + size_t size; > + u32 snap_count; > + > + /* The header has to start with the magic rbd header text */ > + if (memcmp(&ondisk->text, RBD_HEADER_TEXT, sizeof (RBD_HEADER_TEXT))) > + return false; > + > + /* > + * The size of a snapshot header has to fit in a size_t, and > + * that valid limits the number of snapshots. typo > + */ > + snap_count = le32_to_cpu(ondisk->snap_count); > + size = SIZE_MAX - sizeof (struct ceph_snap_context); > + if (snap_count > size / sizeof (__le64)) > + return false; > + > + /* > + * Not only that, but the size of the entire the snapshot > + * header must also be representable in a size_t. > + */ > + size -= snap_count * sizeof (__le64); > + if ((u64) size < le64_to_cpu(ondisk->snap_names_len)) > + return false; > + > + return true; > } > > /* > @@ -500,15 +523,10 @@ static int rbd_header_from_disk(struct r > if (!rbd_dev_ondisk_valid(ondisk)) > return -ENXIO; > > - snap_count = le32_to_cpu(ondisk->snap_count); > - > - /* Make sure we don't overflow below */ > - size = SIZE_MAX - sizeof (struct ceph_snap_context); > - if (snap_count > size / sizeof (header->snapc->snaps[0])) > - return -EINVAL; > - > memset(header, 0, sizeof (*header)); > > + snap_count = le32_to_cpu(ondisk->snap_count); > + > size = sizeof (ondisk->block_name) + 1; > header->object_prefix = kmalloc(size, GFP_KERNEL); > if (!header->object_prefix) -- To unsubscribe from this list: send the line "unsubscribe ceph-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Index: b/drivers/block/rbd.c =================================================================== --- a/drivers/block/rbd.c +++ b/drivers/block/rbd.c @@ -482,8 +482,31 @@ static void rbd_coll_release(struct kref static bool rbd_dev_ondisk_valid(struct rbd_image_header_ondisk *ondisk) { - return !memcmp(&ondisk->text, - RBD_HEADER_TEXT, sizeof (RBD_HEADER_TEXT)); + size_t size; + u32 snap_count; + + /* The header has to start with the magic rbd header text */ + if (memcmp(&ondisk->text, RBD_HEADER_TEXT, sizeof (RBD_HEADER_TEXT))) + return false; + + /* + * The size of a snapshot header has to fit in a size_t, and + * that valid limits the number of snapshots. + */ + snap_count = le32_to_cpu(ondisk->snap_count); + size = SIZE_MAX - sizeof (struct ceph_snap_context); + if (snap_count > size / sizeof (__le64)) + return false; + + /* + * Not only that, but the size of the entire the snapshot + * header must also be representable in a size_t. + */ + size -= snap_count * sizeof (__le64); + if ((u64) size < le64_to_cpu(ondisk->snap_names_len)) + return false; + + return true; } /* @@ -500,15 +523,10 @@ static int rbd_header_from_disk(struct r if (!rbd_dev_ondisk_valid(ondisk)) return -ENXIO; - snap_count = le32_to_cpu(ondisk->snap_count); - - /* Make sure we don't overflow below */ - size = SIZE_MAX - sizeof (struct ceph_snap_context); - if (snap_count > size / sizeof (header->snapc->snaps[0])) - return -EINVAL; - memset(header, 0, sizeof (*header)); + snap_count = le32_to_cpu(ondisk->snap_count); + size = sizeof (ondisk->block_name) + 1; header->object_prefix = kmalloc(size, GFP_KERNEL); if (!header->object_prefix)
Add checks on the validity of the snap_count and snap_names_len field values in rbd_dev_ondisk_valid(). This eliminates the need to do them in rbd_header_from_disk(). Signed-off-by: Alex Elder <elder@inktank.com> --- drivers/block/rbd.c | 36 +++++++++++++++++++++++++++--------- 1 file changed, 27 insertions(+), 9 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe ceph-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html