Commit 103a150f authored by Alex Elder's avatar Alex Elder

rbd: expand rbd_dev_ondisk_valid() checks

Add checks on the validity of the snap_count and snap_names_len
field values in rbd_dev_ondisk_valid().  This eliminates the
need to do them in rbd_header_from_disk().
Signed-off-by: default avatarAlex Elder <elder@inktank.com>
Reviewed-by: default avatarJosh Durgin <josh.durgin@inktank.com>
parent 28cb775d
...@@ -481,8 +481,31 @@ static void rbd_coll_release(struct kref *kref) ...@@ -481,8 +481,31 @@ static void rbd_coll_release(struct kref *kref)
static bool rbd_dev_ondisk_valid(struct rbd_image_header_ondisk *ondisk) static bool rbd_dev_ondisk_valid(struct rbd_image_header_ondisk *ondisk)
{ {
return !memcmp(&ondisk->text, size_t size;
RBD_HEADER_TEXT, sizeof (RBD_HEADER_TEXT)); u32 snap_count;
/* The header has to start with the magic rbd header text */
if (memcmp(&ondisk->text, RBD_HEADER_TEXT, sizeof (RBD_HEADER_TEXT)))
return false;
/*
* The size of a snapshot header has to fit in a size_t, and
* that limits the number of snapshots.
*/
snap_count = le32_to_cpu(ondisk->snap_count);
size = SIZE_MAX - sizeof (struct ceph_snap_context);
if (snap_count > size / sizeof (__le64))
return false;
/*
* Not only that, but the size of the entire the snapshot
* header must also be representable in a size_t.
*/
size -= snap_count * sizeof (__le64);
if ((u64) size < le64_to_cpu(ondisk->snap_names_len))
return false;
return true;
} }
/* /*
...@@ -499,15 +522,10 @@ static int rbd_header_from_disk(struct rbd_image_header *header, ...@@ -499,15 +522,10 @@ static int rbd_header_from_disk(struct rbd_image_header *header,
if (!rbd_dev_ondisk_valid(ondisk)) if (!rbd_dev_ondisk_valid(ondisk))
return -ENXIO; return -ENXIO;
snap_count = le32_to_cpu(ondisk->snap_count);
/* Make sure we don't overflow below */
size = SIZE_MAX - sizeof (struct ceph_snap_context);
if (snap_count > size / sizeof (header->snapc->snaps[0]))
return -EINVAL;
memset(header, 0, sizeof (*header)); memset(header, 0, sizeof (*header));
snap_count = le32_to_cpu(ondisk->snap_count);
size = sizeof (ondisk->block_name) + 1; size = sizeof (ondisk->block_name) + 1;
header->object_prefix = kmalloc(size, GFP_KERNEL); header->object_prefix = kmalloc(size, GFP_KERNEL);
if (!header->object_prefix) if (!header->object_prefix)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment