librbd: check bounds whent trying to update head object map

In deep copy case we may try to update the object map for a
copied object that is beyond the current image size but has
a larger snapshot.

Signed-off-by: Mykola Golub <mgolub@suse.com>

diff --git a/src/librbd/ObjectMap.cc b/src/librbd/ObjectMap.cc
index cfc15df629bc2ea253001bc67513807387fd1203..0a94f5a86e12818b4c821ebc88bc362e010a52d1 100644 (file)
--- a/src/librbd/ObjectMap.cc
+++ b/src/librbd/ObjectMap.cc
@@ -302,7 +302,8 @@ void ObjectMap<I>::aio_update(uint64_t snap_id, uint64_t start_object_no,
                        stringify(static_cast<uint32_t>(*current_state)) : "")
                 << "->" << static_cast<uint32_t>(new_state) << dendl;
   if (snap_id == CEPH_NOSNAP) {
-    if (end_object_no > m_object_map.size()) {
+    end_object_no = std::min(end_object_no, m_object_map.size());
+    if (start_object_no >= end_object_no) {
       ldout(cct, 20) << "skipping update of invalid object map" << dendl;
       m_image_ctx.op_work_queue->queue(on_finish, 0);
       return;

diff --git a/src/librbd/ObjectMap.h b/src/librbd/ObjectMap.h
index f82f11b72b496cfe9d43b9269497b560b22757b9..dab91c04cf53a695345c458739d44cac7029bcfd 100644 (file)
--- a/src/librbd/ObjectMap.h
+++ b/src/librbd/ObjectMap.h
@@ -69,6 +69,11 @@ public:
                   const ZTracer::Trace &parent_trace, T *callback_object) {
     assert(start_object_no < end_object_no);
     if (snap_id == CEPH_NOSNAP) {
+      end_object_no = std::min(end_object_no, m_object_map.size());
+      if (start_object_no >= end_object_no) {
+        return false;
+      }
+
       auto it = m_object_map.begin() + start_object_no;
       auto end_it = m_object_map.begin() + end_object_no;
       for (; it != end_it; ++it) {