| Message ID | 517A6DE0.5080305@inktank.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
Reviewed-by: Josh Durgin <josh.durgin@inktank.com> On 04/26/2013 05:06 AM, Alex Elder wrote: > Now that rbd_obj_method_sync() returns the number of bytes > returned by the method call, that value should be used by > callers to ensure we don't overrun the valid portion of the > buffer. > > Fix the two spots that remained that weren't doing that, > rbd_dev_image_name() and rbd_dev_v2_snap_name(). > > Rearrange the error path slightly in rbd_dev_v2_snap_name(). > > Signed-off-by: Alex Elder <elder@inktank.com> > --- > drivers/block/rbd.c | 25 ++++++++++++------------- > 1 file changed, 12 insertions(+), 13 deletions(-) > > diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c > index 2b5ba50..dcd8e58 100644 > --- a/drivers/block/rbd.c > +++ b/drivers/block/rbd.c > @@ -2614,7 +2614,8 @@ out_cancel: > } > > /* > - * Synchronous osd object method call > + * Synchronous osd object method call. Returns the number of bytes > + * returned in the outbound buffer, or a negative error code. > */ > static int rbd_obj_method_sync(struct rbd_device *rbd_dev, > const char *object_name, > @@ -3740,7 +3741,8 @@ static char *rbd_dev_image_name(struct rbd_device > *rbd_dev) > if (ret < 0) > goto out; > p = reply_buf; > - end = reply_buf + size; > + end = reply_buf + ret; > + > image_name = ceph_extract_encoded_string(&p, end, &len, GFP_KERNEL); > if (IS_ERR(image_name)) > image_name = NULL; > @@ -3913,26 +3915,23 @@ static char *rbd_dev_v2_snap_name(struct > rbd_device *rbd_dev, u32 which) > &snap_id, sizeof (snap_id), > reply_buf, size, NULL); > dout("%s: rbd_obj_method_sync returned %d\n", __func__, ret); > - if (ret < 0) > + if (ret < 0) { > + snap_name = ERR_PTR(ret); > goto out; > + } > > p = reply_buf; > - end = reply_buf + size; > + end = reply_buf + ret; > snap_name = ceph_extract_encoded_string(&p, end, NULL, GFP_KERNEL); > - if (IS_ERR(snap_name)) { > - ret = PTR_ERR(snap_name); > + if (IS_ERR(snap_name)) > goto out; > - } else { > - dout(" snap_id 0x%016llx snap_name = %s\n", > - (unsigned long long)le64_to_cpu(snap_id), snap_name); > - } > - kfree(reply_buf); > > - return snap_name; > + dout(" snap_id 0x%016llx snap_name = %s\n", > + (unsigned long long)le64_to_cpu(snap_id), snap_name); > out: > kfree(reply_buf); > > - return ERR_PTR(ret); > + return snap_name; > } > > static char *rbd_dev_v2_snap_info(struct rbd_device *rbd_dev, u32 which, > -- To unsubscribe from this list: send the line "unsubscribe ceph-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c index 2b5ba50..dcd8e58 100644 --- a/drivers/block/rbd.c +++ b/drivers/block/rbd.c @@ -2614,7 +2614,8 @@ out_cancel: } /* - * Synchronous osd object method call + * Synchronous osd object method call. Returns the number of bytes + * returned in the outbound buffer, or a negative error code. */ static int rbd_obj_method_sync(struct rbd_device *rbd_dev, const char *object_name, @@ -3740,7 +3741,8 @@ static char *rbd_dev_image_name(struct rbd_device *rbd_dev) if (ret < 0) goto out; p = reply_buf; - end = reply_buf + size; + end = reply_buf + ret; + image_name = ceph_extract_encoded_string(&p, end, &len, GFP_KERNEL); if (IS_ERR(image_name))
Now that rbd_obj_method_sync() returns the number of bytes returned by the method call, that value should be used by callers to ensure we don't overrun the valid portion of the buffer. Fix the two spots that remained that weren't doing that, rbd_dev_image_name() and rbd_dev_v2_snap_name(). Rearrange the error path slightly in rbd_dev_v2_snap_name(). Signed-off-by: Alex Elder <elder@inktank.com> --- drivers/block/rbd.c | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) image_name = NULL; @@ -3913,26 +3915,23 @@ static char *rbd_dev_v2_snap_name(struct rbd_device *rbd_dev, u32 which) &snap_id, sizeof (snap_id), reply_buf, size, NULL); dout("%s: rbd_obj_method_sync returned %d\n", __func__, ret); - if (ret < 0) + if (ret < 0) { + snap_name = ERR_PTR(ret); goto out; + } p = reply_buf; - end = reply_buf + size; + end = reply_buf + ret; snap_name = ceph_extract_encoded_string(&p, end, NULL, GFP_KERNEL); - if (IS_ERR(snap_name)) { - ret = PTR_ERR(snap_name); + if (IS_ERR(snap_name)) goto out; - } else { - dout(" snap_id 0x%016llx snap_name = %s\n", - (unsigned long long)le64_to_cpu(snap_id), snap_name); - } - kfree(reply_buf); - return snap_name; + dout(" snap_id 0x%016llx snap_name = %s\n", + (unsigned long long)le64_to_cpu(snap_id), snap_name); out: kfree(reply_buf); - return ERR_PTR(ret); + return snap_name; } static char *rbd_dev_v2_snap_info(struct rbd_device *rbd_dev, u32 which,