From 317690a8cee57f1d990e466ed958574a32a53123 Mon Sep 17 00:00:00 2001 From: Mykola Golub Date: Mon, 23 Apr 2018 17:07:19 +0300 Subject: [PATCH] librbd: check bounds whent trying to update head object map In deep copy case we may try to update the object map for a copied object that is beyond the current image size but has a larger snapshot. Signed-off-by: Mykola Golub --- src/librbd/ObjectMap.cc | 3 ++- src/librbd/ObjectMap.h | 5 +++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/src/librbd/ObjectMap.cc b/src/librbd/ObjectMap.cc index cfc15df629bc2..0a94f5a86e128 100644 --- a/src/librbd/ObjectMap.cc +++ b/src/librbd/ObjectMap.cc @@ -302,7 +302,8 @@ void ObjectMap::aio_update(uint64_t snap_id, uint64_t start_object_no, stringify(static_cast(*current_state)) : "") << "->" << static_cast(new_state) << dendl; if (snap_id == CEPH_NOSNAP) { - if (end_object_no > m_object_map.size()) { + end_object_no = std::min(end_object_no, m_object_map.size()); + if (start_object_no >= end_object_no) { ldout(cct, 20) << "skipping update of invalid object map" << dendl; m_image_ctx.op_work_queue->queue(on_finish, 0); return; diff --git a/src/librbd/ObjectMap.h b/src/librbd/ObjectMap.h index f82f11b72b496..dab91c04cf53a 100644 --- a/src/librbd/ObjectMap.h +++ b/src/librbd/ObjectMap.h @@ -69,6 +69,11 @@ public: const ZTracer::Trace &parent_trace, T *callback_object) { assert(start_object_no < end_object_no); if (snap_id == CEPH_NOSNAP) { + end_object_no = std::min(end_object_no, m_object_map.size()); + if (start_object_no >= end_object_no) { + return false; + } + auto it = m_object_map.begin() + start_object_no; auto end_it = m_object_map.begin() + end_object_no; for (; it != end_it; ++it) { -- 2.39.5