client: in fcopyfile(), update len to read only leftover fragment

fcopyfile() reads 1 MiB of data every time but when a fragment smaller
than 1 MiB is left, it still reads 1 MiB of data, causing to never meet
the condition of "off == size". This leads to an infinity loop which
continues to write until CephFS becomes full.

Resolves: rhbz#2379716
Fixes: https://tracker.ceph.com/issues/72238
Signed-off-by: Rishabh Dave <ridave@redhat.com>

diff --git a/src/client/Client.cc b/src/client/Client.cc
index 075968a87db84abb0b4e6a49855a3c2d15241c08..99aaa9442654b0894bd3fa31d056c6dc3a296055 100644 (file)
--- a/src/client/Client.cc
+++ b/src/client/Client.cc
@@ -18934,7 +18934,9 @@ int Client::fcopyfile(const char *spath, const char *dpath, UserPerm& perms, mod
         if (r < 0) {
           ldout(cct, 10) << "fcopyfile: error reading copy data, r=" << r << dendl;
           goto out;
-        }
+        } else {
+         len = r;
+       }
 
         r = write(dest, in_buf, len, off);
         if (r < 0) {
@@ -18943,8 +18945,15 @@ int Client::fcopyfile(const char *spath, const char *dpath, UserPerm& perms, mod
         }
         off = off + len;
 
-        if (off == size)
+        if (off == size) {
           break;
+       } else if (off > size) {
+         ldout(cct, 0) << __FILE__ << ",  " << __func__ << "() at " << __LINE__
+                       << " internal error: \"off\" is greater than \"size\"; "
+                       " off = " << off << " size = " << size << dendl;
+         r = -1;
+         goto out;
+       }
       }
     }
     out: