From 74fdf7053b69a69cb47f33c21398ecd33ec8ad56 Mon Sep 17 00:00:00 2001
From: Sage Weil <sage.weil@dreamhost.com>
Date: Sat, 23 Jul 2011 14:36:46 -0700
Subject: [PATCH] osd: verify src range exists for CLONERANGE

Make sure the source object extent does not extend past EOF when doing a
CLONERANGE.

Signed-off-by: Sage Weil <sage.weil@dreamhost.com>
---
 src/osd/ReplicatedPG.cc | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/src/osd/ReplicatedPG.cc b/src/osd/ReplicatedPG.cc
index c336fe57ce0f9..05cc5518c40ae 100644
--- a/src/osd/ReplicatedPG.cc
+++ b/src/osd/ReplicatedPG.cc
@@ -1112,6 +1112,12 @@ int ReplicatedPG::do_osd_ops(OpContext *ctx, vector<OSDOp>& ops,
 	ctx->user_modify = true;
     }
 
+    ObjectContext *src_obc = 0;
+    if (ceph_osd_op_type_multi(op.op)) {
+      src_obc = ctx->src_obc[osd_op.soid];
+      assert(src_obc);
+    }
+
     // munge ZERO -> TRUNCATE?  (don't munge to DELETE or we risk hosing attributes)
     if (op.op == CEPH_OSD_OP_ZERO &&
 	obs.exists &&
@@ -1590,6 +1596,13 @@ int ReplicatedPG::do_osd_ops(OpContext *ctx, vector<OSDOp>& ops,
 	  t.touch(coll, obs.oi.soid);
 	  maybe_created = true;
 	}
+	if (op.clonerange.src_offset + op.clonerange.length > src_obc->obs.oi.size) {
+	  dout(10) << " clonerange source " << osd_op.soid << " "
+		   << op.clonerange.src_offset << "~" << op.clonerange.length
+		   << " extends past size " << src_obc->obs.oi.size << dendl;
+	  result = -EINVAL;
+	  break;
+	}
 	t.clone_range(coll, osd_op.soid, obs.oi.soid,
 		      op.clonerange.src_offset, op.clonerange.length, op.clonerange.offset);
 
-- 
2.39.5