From fc42652ff24828d029349c2c101015d2fdb4825a Mon Sep 17 00:00:00 2001
From: Yuval Lifshitz <ylifshit@redhat.com>
Date: Fri, 2 Jul 2021 16:12:33 +0300
Subject: [PATCH] rgw/notifications: cache object size to avoid accessing
 invalid memoery

Fixes: https://tracker.ceph.com/issues/51347

Signed-off-by: Yuval Lifshitz <ylifshit@redhat.com>
---
 src/rgw/rgw_op.cc | 27 ++++++++++++++++-----------
 1 file changed, 16 insertions(+), 11 deletions(-)

diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index e89ae9732e23..167ad3593e44 100644
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -5270,20 +5270,25 @@ void RGWCopyObj::execute(optional_yield y)
 
   encode_delete_at_attr(delete_at, attrs);
 
-  // get src object size (cached in obj_ctx from verify_permission())
-  RGWObjState* astate = nullptr;
-  op_ret = src_object->get_obj_state(this, s->obj_ctx, &astate, s->yield, true);
-  if (op_ret < 0) {
-    return;
-  }
 
-  if (!s->system_request) { // no quota enforcement for system requests
-    // enforce quota against the destination bucket owner
-    op_ret = dest_bucket->check_quota(this, user_quota, bucket_quota,
-				      astate->accounted_size, y);
+  uint64_t obj_size = 0;
+  {
+    // get src object size (cached in obj_ctx from verify_permission())
+    RGWObjState* astate = nullptr;
+    op_ret = src_object->get_obj_state(this, s->obj_ctx, &astate, s->yield, true);
     if (op_ret < 0) {
       return;
     }
+    obj_size = astate->size;
+  
+    if (!s->system_request) { // no quota enforcement for system requests
+      // enforce quota against the destination bucket owner
+      op_ret = dest_bucket->check_quota(this, user_quota, bucket_quota,
+				      astate->accounted_size, y);
+      if (op_ret < 0) {
+        return;
+      }
+    }
   }
 
   bool high_precision_time = (s->system_request);
@@ -5325,7 +5330,7 @@ void RGWCopyObj::execute(optional_yield y)
 	   s->yield);
 
   // send request to notification manager
-  int ret = res->publish_commit(this, astate->size, mtime, etag, dest_object->get_instance());
+  int ret = res->publish_commit(this, obj_size, mtime, etag, dest_object->get_instance());
   if (ret < 0) {
     ldpp_dout(this, 1) << "ERROR: publishing notification failed, with error: " << ret << dendl;
     // too late to rollback operation, hence op_ret is not set here
-- 
2.47.3