crush: fix map->choose_tries boundary test

CrushWrapper::start_choose_profile allocates map->choose_tries with
choose_total_tries elements. When crush_choose_firstn sets a value, it
tests against map->choose_local_tries which could lead to memory
corruption if map->choose_total_tries is smaller than
map->choose_local_tries.

Another indesirable but non fatal side effect is that the output crushtool
--show-choose-tries will be truncated to choose_local_tries which is
set to a lower value than choose_total_tries by the default tuneables.

Signed-off-by: Loic Dachary <loic@dachary.org>

diff --git a/src/crush/mapper.c b/src/crush/mapper.c
index 3ae3724a98df5ce8ac8832c2fae6eff834429019..0c21ddddbd75d7bb4a9d98984f504b4ccad19ba9 100644 (file)
--- a/src/crush/mapper.c
+++ b/src/crush/mapper.c
@@ -443,7 +443,7 @@ reject:
                out[outpos] = item;
                outpos++;
 
-               if (map->choose_tries && ftotal <= map->choose_local_tries)
+               if (map->choose_tries && ftotal <= map->choose_total_tries)
                        map->choose_tries[ftotal]++;
        }