From patchwork Sat Apr 6 20:42:06 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alex Elder X-Patchwork-Id: 2402451 Return-Path: X-Original-To: patchwork-ceph-devel@patchwork.kernel.org Delivered-To: patchwork-process-083081@patchwork1.kernel.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by patchwork1.kernel.org (Postfix) with ESMTP id 031393FD40 for ; Sat, 6 Apr 2013 20:42:21 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1759661Ab3DFUmK (ORCPT ); Sat, 6 Apr 2013 16:42:10 -0400 Received: from mail-ia0-f175.google.com ([209.85.210.175]:53472 "EHLO mail-ia0-f175.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1759658Ab3DFUmJ (ORCPT ); Sat, 6 Apr 2013 16:42:09 -0400 Received: by mail-ia0-f175.google.com with SMTP id e16so4037445iaa.6 for ; Sat, 06 Apr 2013 13:42:08 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:message-id:date:from:user-agent:mime-version:to:subject :references:in-reply-to:content-type:content-transfer-encoding :x-gm-message-state; bh=8H44J3qQEqFUt5Z8eE5CFdecu4OkXUjrfEF/FFaZZ+c=; b=j+rtyO8vvFep4ZamA7izfq0ImFEh4eAsBCXDyhKjcIUtD8soXQ58QEi464MEaeexXu ixClXGLTBmfUA8JenCbAJERASeKJB79sU7Ejz2G+DqwXrO4My8I5Q+4nbJ316aVHRbjs 5nuefvV1LkMiaJZ3lU3Adx3esi59+EoNsGfW7S6f6HZzcdL1W/QwDf+u8bjDi9vz45Y/ ctKOevELmLn9i41GxJz8agE6o7noEuCORQ8koIByseoEoNeUrqAmc7z1FHfPNnOTqVyN zD4kJV6yE5BSys+UdKjOgAQLc87G2jEy87g4qiQOyN0QVi+4/gc7aqMR6zYbCSzy8MJn meVg== X-Received: by 10.50.138.198 with SMTP id qs6mr2878964igb.48.1365280928677; Sat, 06 Apr 2013 13:42:08 -0700 (PDT) Received: from [172.22.22.4] (c-71-195-31-37.hsd1.mn.comcast.net. [71.195.31.37]) by mx.google.com with ESMTPS id wx2sm9041588igb.4.2013.04.06.13.42.06 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 06 Apr 2013 13:42:07 -0700 (PDT) Message-ID: <5160889E.6080600@inktank.com> Date: Sat, 06 Apr 2013 15:42:06 -0500 From: Alex Elder User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130308 Thunderbird/17.0.4 MIME-Version: 1.0 To: "ceph-devel@vger.kernel.org" Subject: [PATCH, v2] libceph: skip message if too big to receive References: <515F4DAB.8090805@inktank.com> In-Reply-To: <515F4DAB.8090805@inktank.com> X-Gm-Message-State: ALoCoQnUyEiFBUKQnDqdyRp68AyEHftTFHRZM5q3CHItbWFb5k4tCL8ZeVmHGYstS7bFM1/mg4qN Sender: ceph-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: ceph-devel@vger.kernel.org I found a bug in this and am posting the following update. If a connection's alloc_msg() method sets the skip flag, it will return with con->in_msg being a null pointer. The original version of this would dereference that pointer without checking, which causes a crash. This version checks first. (This and the updated patches that follow it are available in the "review/wip-3761-4" branch of the ceph-client git repository.) -Alex We know the length of our message buffers. If we get a message that's too long, just dump it and ignore it. If skip was set then con->in_msg won't be valid, so be careful not to dereference a null pointer in the process. This resolves: http://tracker.ceph.com/issues/4664 Signed-off-by: Alex Elder Reviewed-by: Josh Durgin --- v2: make sure con->in_msg is valid before dereferencing it net/ceph/messenger.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) con->in_tag = CEPH_MSGR_TAG_READY; diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c index 994192b..cb5b4e6 100644 --- a/net/ceph/messenger.c +++ b/net/ceph/messenger.c @@ -2207,10 +2207,18 @@ static int read_partial_message(struct ceph_connection *con) ret = ceph_con_in_msg_alloc(con, &skip); if (ret < 0) return ret; + + BUG_ON(!con->in_msg ^ skip); + if (con->in_msg && data_len > con->in_msg->data_length) { + pr_warning("%s skipping long message (%u > %zd)\n", + __func__, data_len, con->in_msg->data_length); + ceph_msg_put(con->in_msg); + con->in_msg = NULL; + skip = 1; + } if (skip) { /* skip this message */ dout("alloc_msg said skip message\n"); - BUG_ON(con->in_msg); con->in_base_pos = -front_len - middle_len - data_len - sizeof(m->footer);