From 920abc9e3d0c5fa6ae358b936707cd16e4357269 Mon Sep 17 00:00:00 2001 From: Sage Weil Date: Sun, 9 Nov 2008 20:21:43 -0800 Subject: [PATCH] kclient: fix osd reply handler sanity check --- src/kernel/osd_client.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/kernel/osd_client.c b/src/kernel/osd_client.c index 3143d3cc90cb5..8d4b7bbf32894 100644 --- a/src/kernel/osd_client.c +++ b/src/kernel/osd_client.c @@ -321,10 +321,15 @@ void ceph_osdc_handle_reply(struct ceph_osd_client *osdc, struct ceph_msg *msg) struct ceph_osd_reply_head *rhead = msg->front.iov_base; struct ceph_osd_request *req; u64 tid; + int numops; - if (msg->front.iov_len != sizeof(*rhead)) + if (msg->front.iov_len < sizeof(*rhead)) goto bad; tid = le64_to_cpu(rhead->tid); + numops = le16_to_cpu(rhead->num_ops); + if (msg->front.iov_len != sizeof(*rhead) + + numops * sizeof(struct ceph_osd_op)) + goto bad; dout(10, "handle_reply %p tid %llu\n", msg, tid); /* lookup */ -- 2.39.5