From 32195f948d28f52f37d0bbbdcd324abc47cc6a4e Mon Sep 17 00:00:00 2001
From: Loic Dachary <loic-201408@dachary.org>
Date: Sun, 28 Sep 2014 10:26:23 +0200
Subject: [PATCH] librados: cap the rados_aio_*{write,append} buffer length

If the value of the len parameter is greater than UINT_MAX/2,
rados_aio_write, rados_aio_write_full and rados_aio_append will fail
with E2BIG.

For more information see 33501d242661a545211df43bf645398b492398ae

http://tracker.ceph.com/issues/9592 Fixes: #9592

Signed-off-by: Loic Dachary <loic-201408@dachary.org>
---
 src/librados/librados.cc |  6 ++++++
 src/test/librados/aio.cc | 16 ++++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/src/librados/librados.cc b/src/librados/librados.cc
index 835e7a137cc4d..c7405df0d70e9 100644
--- a/src/librados/librados.cc
+++ b/src/librados/librados.cc
@@ -3247,6 +3247,8 @@ extern "C" int rados_aio_write(rados_ioctx_t io, const char *o,
 				const char *buf, size_t len, uint64_t off)
 {
   tracepoint(librados, rados_aio_write_enter, io, o, completion, buf, len, off);
+  if (len > UINT_MAX/2)
+    return -E2BIG;
   librados::IoCtxImpl *ctx = (librados::IoCtxImpl *)io;
   object_t oid(o);
   bufferlist bl;
@@ -3262,6 +3264,8 @@ extern "C" int rados_aio_append(rados_ioctx_t io, const char *o,
 				const char *buf, size_t len)
 {
   tracepoint(librados, rados_aio_append_enter, io, o, completion, buf, len);
+  if (len > UINT_MAX/2)
+    return -E2BIG;
   librados::IoCtxImpl *ctx = (librados::IoCtxImpl *)io;
   object_t oid(o);
   bufferlist bl;
@@ -3277,6 +3281,8 @@ extern "C" int rados_aio_write_full(rados_ioctx_t io, const char *o,
 				    const char *buf, size_t len)
 {
   tracepoint(librados, rados_aio_write_full_enter, io, o, completion, buf, len);
+  if (len > UINT_MAX/2)
+    return -E2BIG;
   librados::IoCtxImpl *ctx = (librados::IoCtxImpl *)io;
   object_t oid(o);
   bufferlist bl;
diff --git a/src/test/librados/aio.cc b/src/test/librados/aio.cc
index aff7a82932b29..92ffa11e6af1c 100644
--- a/src/test/librados/aio.cc
+++ b/src/test/librados/aio.cc
@@ -161,6 +161,22 @@ void set_completion_safePP(rados_completion_t cb, void *arg)
   sem_post(&test->m_sem);
 }
 
+TEST(LibRadosAio, TooBig) {
+  AioTestData test_data;
+  rados_completion_t my_completion;
+  ASSERT_EQ("", test_data.init());
+  ASSERT_EQ(0, rados_aio_create_completion((void*)&test_data,
+	      set_completion_complete, set_completion_safe, &my_completion));
+  char buf[128];
+  memset(buf, 0xcc, sizeof(buf));
+  ASSERT_EQ(-E2BIG, rados_aio_write(test_data.m_ioctx, "foo",
+                                    my_completion, buf, UINT_MAX, 0));
+  ASSERT_EQ(-E2BIG, rados_aio_write_full(test_data.m_ioctx, "foo",
+                                         my_completion, buf, UINT_MAX));
+  ASSERT_EQ(-E2BIG, rados_aio_append(test_data.m_ioctx, "foo",
+                                     my_completion, buf, UINT_MAX));
+}
+
 TEST(LibRadosAio, SimpleWrite) {
   AioTestData test_data;
   rados_completion_t my_completion;
-- 
2.39.5