From: Jason Dillaman <dillaman@redhat.com>
Date: Mon, 14 Mar 2016 17:57:28 +0000 (-0400)
Subject: cls_rbd: protect against excessively large object maps
X-Git-Tag: v10.1.0~106^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=4aff4ea3290dc7fb62c639bfc74fcfdde5fe9542;p=ceph.git

cls_rbd: protect against excessively large object maps

Fixes: #15121

Signed-off-by: Jason Dillaman <dillaman@redhat.com>
---

diff --git a/src/cls/rbd/cls_rbd.cc b/src/cls/rbd/cls_rbd.cc
index af1e740d915..14d19f2db6d 100644
--- a/src/cls/rbd/cls_rbd.cc
+++ b/src/cls/rbd/cls_rbd.cc
@@ -130,6 +130,7 @@ cls_method_handle_t h_mirror_image_remove;
 #define RBD_DIR_ID_KEY_PREFIX "id_"
 #define RBD_DIR_NAME_KEY_PREFIX "name_"
 #define RBD_METADATA_KEY_PREFIX "metadata_"
+#define RBD_MAX_OBJECT_MAP_OBJECT_COUNT 256000000
 
 static int snap_read_header(cls_method_context_t hctx, bufferlist& bl)
 {
@@ -2259,6 +2260,12 @@ int object_map_resize(cls_method_context_t hctx, bufferlist *in, bufferlist *out
     return -EINVAL;
   }
 
+  // protect against excessive memory requirements
+  if (object_count > RBD_MAX_OBJECT_MAP_OBJECT_COUNT) {
+    CLS_ERR("object map too large: %" PRIu64, object_count);
+    return -EINVAL;
+  }
+
   BitVector<2> object_map;
   int r = object_map_read(hctx, object_map);
   if ((r < 0) && (r != -ENOENT)) {