From 14a1e6ecd467320edcd8b2b70c538102e66d3a83 Mon Sep 17 00:00:00 2001
From: Sage Weil <sage@inktank.com>
Date: Fri, 23 Aug 2013 15:02:00 -0700
Subject: [PATCH] osd/ReplicatedPG: verify we have enough data for WRITE and
 WRITEFULL

Fixes: #2207
Signed-off-by: Sage Weil <sage@inktank.com>
Reviewed-by: Samuel Just <sam.just@inktank.com>
---
 src/osd/ReplicatedPG.cc | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/osd/ReplicatedPG.cc b/src/osd/ReplicatedPG.cc
index 60eb65b7d8ba1..a2a40058ac1e3 100644
--- a/src/osd/ReplicatedPG.cc
+++ b/src/osd/ReplicatedPG.cc
@@ -2594,6 +2594,10 @@ int ReplicatedPG::do_osd_ops(OpContext *ctx, vector<OSDOp>& ops)
     case CEPH_OSD_OP_WRITE:
       ++ctx->num_write;
       { // write
+	if (op.extent.length > osd_op.indata.length()) {
+	  result = -EINVAL;
+	  break;
+	}
         __u32 seq = oi.truncate_seq;
         if (seq && (seq > op.extent.truncate_seq) &&
             (op.extent.offset + op.extent.length > oi.size)) {
@@ -2640,6 +2644,10 @@ int ReplicatedPG::do_osd_ops(OpContext *ctx, vector<OSDOp>& ops)
     case CEPH_OSD_OP_WRITEFULL:
       ++ctx->num_write;
       { // write full object
+	if (op.extent.length > osd_op.indata.length()) {
+	  result = -EINVAL;
+	  break;
+	}
 	result = check_offset_and_length(op.extent.offset, op.extent.length);
 	if (result < 0)
 	  break;
-- 
2.39.5