Skip to content

Commit cd7d469

Browse files
lxbszidryomov
lxbsz
authored and
idryomov
committed
libceph: fail sparse-read if the data length doesn't match
Once this happens that means there have bugs. Signed-off-by: Xiubo Li <xiubli@redhat.com> Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
1 parent 54be6c6 commit cd7d469

File tree

2 files changed

+17
-4
lines changed

2 files changed

+17
-4
lines changed

include/linux/ceph/osd_client.h

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -45,6 +45,7 @@ enum ceph_sparse_read_state {
4545
CEPH_SPARSE_READ_HDR = 0,
4646
CEPH_SPARSE_READ_EXTENTS,
4747
CEPH_SPARSE_READ_DATA_LEN,
48+
CEPH_SPARSE_READ_DATA_PRE,
4849
CEPH_SPARSE_READ_DATA,
4950
};
5051

@@ -64,7 +65,7 @@ struct ceph_sparse_read {
6465
u64 sr_req_len; /* orig request length */
6566
u64 sr_pos; /* current pos in buffer */
6667
int sr_index; /* current extent index */
67-
__le32 sr_datalen; /* length of actual data */
68+
u32 sr_datalen; /* length of actual data */
6869
u32 sr_count; /* extent count in reply */
6970
int sr_ext_len; /* length of extent array */
7071
struct ceph_sparse_extent *sr_extent; /* extent array */

net/ceph/osd_client.c

Lines changed: 15 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -5857,8 +5857,8 @@ static int osd_sparse_read(struct ceph_connection *con,
58575857
struct ceph_osd *o = con->private;
58585858
struct ceph_sparse_read *sr = &o->o_sparse_read;
58595859
u32 count = sr->sr_count;
5860-
u64 eoff, elen;
5861-
int ret;
5860+
u64 eoff, elen, len = 0;
5861+
int i, ret;
58625862

58635863
switch (sr->sr_state) {
58645864
case CEPH_SPARSE_READ_HDR:
@@ -5903,8 +5903,20 @@ static int osd_sparse_read(struct ceph_connection *con,
59035903
convert_extent_map(sr);
59045904
ret = sizeof(sr->sr_datalen);
59055905
*pbuf = (char *)&sr->sr_datalen;
5906-
sr->sr_state = CEPH_SPARSE_READ_DATA;
5906+
sr->sr_state = CEPH_SPARSE_READ_DATA_PRE;
59075907
break;
5908+
case CEPH_SPARSE_READ_DATA_PRE:
5909+
/* Convert sr_datalen to host-endian */
5910+
sr->sr_datalen = le32_to_cpu((__force __le32)sr->sr_datalen);
5911+
for (i = 0; i < count; i++)
5912+
len += sr->sr_extent[i].len;
5913+
if (sr->sr_datalen != len) {
5914+
pr_warn_ratelimited("data len %u != extent len %llu\n",
5915+
sr->sr_datalen, len);
5916+
return -EREMOTEIO;
5917+
}
5918+
sr->sr_state = CEPH_SPARSE_READ_DATA;
5919+
fallthrough;
59085920
case CEPH_SPARSE_READ_DATA:
59095921
if (sr->sr_index >= count) {
59105922
sr->sr_state = CEPH_SPARSE_READ_HDR;

0 commit comments

Comments
 (0)