cls_rbd: protect against excessively large object maps

author Jason Dillaman <dillaman@redhat.com>

Mon, 14 Mar 2016 17:57:28 +0000 (13:57 -0400)

committer Vicente Cheng <freeze.bilsted@gmail.com>

Thu, 31 Mar 2016 15:45:35 +0000 (23:45 +0800)
author Jason Dillaman <dillaman@redhat.com>
Mon, 14 Mar 2016 17:57:28 +0000 (13:57 -0400)
committer Vicente Cheng <freeze.bilsted@gmail.com>
Thu, 31 Mar 2016 15:45:35 +0000 (23:45 +0800)
diff --git a/src/cls/rbd/cls_rbd.cc b/src/cls/rbd/cls_rbd.cc

index ae2a432507fe244290daf78706b7ddfbead3b753..c10263c9f4416a846b50b79f7b296601cf8e1d99 100644 (file)
--- a/src/cls/rbd/cls_rbd.cc
+++ b/src/cls/rbd/cls_rbd.cc
@@ -104,6 +104,7 @@ cls_method_handle_t h_old_snapshot_remove;
  #define RBD_SNAP_KEY_PREFIX "snapshot_"
  #define RBD_DIR_ID_KEY_PREFIX "id_"
  #define RBD_DIR_NAME_KEY_PREFIX "name_"
+#define RBD_MAX_OBJECT_MAP_OBJECT_COUNT 256000000
  
  static int snap_read_header(cls_method_context_t hctx, bufferlist& bl)
  {
@@ -1996,6 +1997,12 @@ int object_map_resize(cls_method_context_t hctx, bufferlist *in, bufferlist *out
      return -EINVAL;
    }
  
+  // protect against excessive memory requirements
+  if (object_count > RBD_MAX_OBJECT_MAP_OBJECT_COUNT) {
+    CLS_ERR("object map too large: %" PRIu64, object_count);
+    return -EINVAL;
+  }
+
    BitVector<2> object_map;
    int r = object_map_read(hctx, object_map);
    if ((r < 0) && (r != -ENOENT)) {
author	Jason Dillaman <dillaman@redhat.com>
	Mon, 14 Mar 2016 17:57:28 +0000 (13:57 -0400)
committer	Vicente Cheng <freeze.bilsted@gmail.com>
	Thu, 31 Mar 2016 15:45:35 +0000 (23:45 +0800)