From 4aff4ea3290dc7fb62c639bfc74fcfdde5fe9542 Mon Sep 17 00:00:00 2001
From: Jason Dillaman <dillaman@redhat.com>
Date: Mon, 14 Mar 2016 13:57:28 -0400
Subject: [PATCH] cls_rbd: protect against excessively large object maps

Fixes: #15121

Signed-off-by: Jason Dillaman <dillaman@redhat.com>
---
 src/cls/rbd/cls_rbd.cc | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/cls/rbd/cls_rbd.cc b/src/cls/rbd/cls_rbd.cc
index af1e740d91522..14d19f2db6d6e 100644
--- a/src/cls/rbd/cls_rbd.cc
+++ b/src/cls/rbd/cls_rbd.cc
@@ -130,6 +130,7 @@ cls_method_handle_t h_mirror_image_remove;
 #define RBD_DIR_ID_KEY_PREFIX "id_"
 #define RBD_DIR_NAME_KEY_PREFIX "name_"
 #define RBD_METADATA_KEY_PREFIX "metadata_"
+#define RBD_MAX_OBJECT_MAP_OBJECT_COUNT 256000000
 
 static int snap_read_header(cls_method_context_t hctx, bufferlist& bl)
 {
@@ -2259,6 +2260,12 @@ int object_map_resize(cls_method_context_t hctx, bufferlist *in, bufferlist *out
     return -EINVAL;
   }
 
+  // protect against excessive memory requirements
+  if (object_count > RBD_MAX_OBJECT_MAP_OBJECT_COUNT) {
+    CLS_ERR("object map too large: %" PRIu64, object_count);
+    return -EINVAL;
+  }
+
   BitVector<2> object_map;
   int r = object_map_read(hctx, object_map);
   if ((r < 0) && (r != -ENOENT)) {
-- 
2.39.5