From df555cf5d027bd816fa5e94706dd914414e47c29 Mon Sep 17 00:00:00 2001
From: Christopher Hoffman <choffman@redhat.com>
Date: Wed, 20 Aug 2025 19:36:14 +0000
Subject: [PATCH] mgr/volumes: Enforce enctag max size

Introduce enctag max length. Include error messages when
outside of range.

Signed-off-by: Christopher Hoffman <choffman@redhat.com>
---
 .../mgr/volumes/fs/operations/versions/subvolume_base.py | 7 ++++++-
 src/python-common/ceph/fs/enctag.py                      | 9 +++++++--
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/src/pybind/mgr/volumes/fs/operations/versions/subvolume_base.py b/src/pybind/mgr/volumes/fs/operations/versions/subvolume_base.py
index 2f2cc642b96..7da00d83aab 100644
--- a/src/pybind/mgr/volumes/fs/operations/versions/subvolume_base.py
+++ b/src/pybind/mgr/volumes/fs/operations/versions/subvolume_base.py
@@ -346,7 +346,12 @@ class SubvolumeBase(object):
         enctag = attrs.get("enctag", None)
         if enctag is not None:
             fs_enctag = CephFSVolumeEncryptionTag(self.fs, path)
-            fs_enctag.set_tag(enctag)
+            try:
+                fs_enctag.set_tag(enctag)
+            except EncryptionTagException:
+                raise VolumeException(-errno.EINVAL,
+                                      "invalid enctag specified: length '{0} > {1}'".format(len(enctag), fs_enctag.ENCTAG_MAX))
+
 
         fscrypt_auth = attrs.get("fscrypt_auth")
         if fscrypt_auth is not None:
diff --git a/src/python-common/ceph/fs/enctag.py b/src/python-common/ceph/fs/enctag.py
index 14bdbac6560..a3633dbed43 100644
--- a/src/python-common/ceph/fs/enctag.py
+++ b/src/python-common/ceph/fs/enctag.py
@@ -36,19 +36,21 @@ class EncryptionTagException(Exception):
 
 
 class CephFSVolumeEncryptionTag:
+    ENCTAG_MAX = 255
+
     def __init__(self, fs, path: str) -> None:
         self.fs = fs
         self.path = path
 
     def _handle_cephfs_error(self, e: Exception, action: str) -> None:
         if isinstance(e, ValueError):
-            raise EncryptionTagException(errno.EINVAL, f"Invalid encryption tag specified: {e}") from e
+            raise EncryptionTagException(-errno.EINVAL, f"Invalid encryption tag specified: {e}") from e
         elif isinstance(e, OSError):
             log.error(f"Error {action} encryption tag: {e}")
             raise EncryptionTagException(-e.errno, e.strerror) from e
         else:
             log.error(f"Unexpected error {action} encryption tag: {e}")
-            raise EncryptionTagException(errno.EIO, "Unexpected error") from e
+            raise EncryptionTagException(-errno.EIO, "Unexpected error") from e
 
     def get_tag(self) -> Optional[str]:
         try:
@@ -63,6 +65,9 @@ class CephFSVolumeEncryptionTag:
 
     def set_tag(self, enc_tag: str):
         try:
+            if len(enc_tag) > self.ENCTAG_MAX:
+                raise ValueError(f"length '{len(enc_tag)} > {self.ENCTAG_MAX}'")
+
             self.fs.setxattr(self.path, XATTR_SUBVOLUME_ENCTAG_NAME, enc_tag.encode('utf-8'), 0)
             log.info(f"Encryption Tag '{enc_tag}' set on {self.path}.")
         except Exception as e:
-- 
2.39.5