rbd: prevent bytes transferred overflow
authorAlex Elder <elder@inktank.com>
Wed, 6 Feb 2013 19:11:38 +0000 (13:11 -0600)
committerAlex Elder <elder@inktank.com>
Wed, 20 Feb 2013 01:14:04 +0000 (19:14 -0600)
In rbd_obj_read_sync(), verify the number of bytes transferred won't
exceed what can be represented by a size_t before using it to
indicate the number of bytes to copy to the result buffer.

(The real motivation for this is to prepare for the next patch.)

Signed-off-by: Alex Elder <elder@inktank.com>
Reviewed-by: Josh Durgin <josh.durgin@inktank.com>
drivers/block/rbd.c

index 09514d9..93369a1 100644 (file)
@@ -2048,6 +2048,7 @@ static int rbd_obj_read_sync(struct rbd_device *rbd_dev,
        struct ceph_osd_client *osdc;
        struct page **pages = NULL;
        u32 page_count;
+       size_t size;
        int ret;
 
        page_count = (u32) calc_pages_for(offset, length);
@@ -2084,7 +2085,10 @@ static int rbd_obj_read_sync(struct rbd_device *rbd_dev,
        ret = obj_request->result;
        if (ret < 0)
                goto out;
-       ret = ceph_copy_from_page_vector(pages, buf, 0, obj_request->xferred);
+
+       rbd_assert(obj_request->xferred <= (u64) SIZE_MAX);
+       size = (size_t) obj_request->xferred;
+       ret = ceph_copy_from_page_vector(pages, buf, 0, size);
        if (version)
                *version = obj_request->version;
 out: