osd/ReplicatedPG: verify we have enough data for WRITE and WRITEFULL

Fixes: #2207
Signed-off-by: Sage Weil <sage@inktank.com>
Reviewed-by: Samuel Just <sam.just@inktank.com>

diff --git a/src/osd/ReplicatedPG.cc b/src/osd/ReplicatedPG.cc
index 60eb65b7d8ba1a653d5fcec4885da719544c1a37..a2a40058ac1e319880dd5e86c4a9f3b95e7d1df4 100644 (file)
--- a/src/osd/ReplicatedPG.cc
+++ b/src/osd/ReplicatedPG.cc
@@ -2594,6 +2594,10 @@ int ReplicatedPG::do_osd_ops(OpContext *ctx, vector<OSDOp>& ops)
     case CEPH_OSD_OP_WRITE:
       ++ctx->num_write;
       { // write
+       if (op.extent.length > osd_op.indata.length()) {
+         result = -EINVAL;
+         break;
+       }
         __u32 seq = oi.truncate_seq;
         if (seq && (seq > op.extent.truncate_seq) &&
             (op.extent.offset + op.extent.length > oi.size)) {
@@ -2640,6 +2644,10 @@ int ReplicatedPG::do_osd_ops(OpContext *ctx, vector<OSDOp>& ops)
     case CEPH_OSD_OP_WRITEFULL:
       ++ctx->num_write;
       { // write full object
+       if (op.extent.length > osd_op.indata.length()) {
+         result = -EINVAL;
+         break;
+       }
        result = check_offset_and_length(op.extent.offset, op.extent.length);
        if (result < 0)
          break;