diff options
author | Alex Elder <elder@inktank.com> | 2013-02-06 13:11:38 -0600 |
---|---|---|
committer | Alex Elder <elder@inktank.com> | 2013-02-19 19:14:04 -0600 |
commit | 1ceae7ef0fd00c965a2257c6e9eb497ca91f01c7 (patch) | |
tree | 092a10e88f4503fb41495157d8ea0ad70760bdf8 /drivers | |
parent | b324814e8436772cb3367b14149ba003a9954525 (diff) |
rbd: prevent bytes transferred overflow
In rbd_obj_read_sync(), verify the number of bytes transferred won't
exceed what can be represented by a size_t before using it to
indicate the number of bytes to copy to the result buffer.
(The real motivation for this is to prepare for the next patch.)
Signed-off-by: Alex Elder <elder@inktank.com>
Reviewed-by: Josh Durgin <josh.durgin@inktank.com>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/block/rbd.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c index 09514d9d8a97..93369a1a08e1 100644 --- a/drivers/block/rbd.c +++ b/drivers/block/rbd.c @@ -2048,6 +2048,7 @@ static int rbd_obj_read_sync(struct rbd_device *rbd_dev, struct ceph_osd_client *osdc; struct page **pages = NULL; u32 page_count; + size_t size; int ret; page_count = (u32) calc_pages_for(offset, length); @@ -2084,7 +2085,10 @@ static int rbd_obj_read_sync(struct rbd_device *rbd_dev, ret = obj_request->result; if (ret < 0) goto out; - ret = ceph_copy_from_page_vector(pages, buf, 0, obj_request->xferred); + + rbd_assert(obj_request->xferred <= (u64) SIZE_MAX); + size = (size_t) obj_request->xferred; + ret = ceph_copy_from_page_vector(pages, buf, 0, size); if (version) *version = obj_request->version; out: |