From 97f474fb6b26ae7b7e2fdd21de4f4bd98cdd56ab Mon Sep 17 00:00:00 2001
From: Jason Dillaman <dillaman@redhat.com>
Date: Mon, 14 Mar 2016 13:57:28 -0400
Subject: [PATCH] cls_rbd: protect against excessively large object maps

Fixes: #15121

Signed-off-by: Jason Dillaman <dillaman@redhat.com>
(cherry picked from commit 4aff4ea3290dc7fb62c639bfc74fcfdde5fe9542)

  Conflicts:
	src/cls/rbd/cls_rbd.cc
        `RBD_METADATA_KEY_PREFIX` is not introduced on hammer, so remove
        it
---
 src/cls/rbd/cls_rbd.cc | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/cls/rbd/cls_rbd.cc b/src/cls/rbd/cls_rbd.cc
index ae2a432507fe..c10263c9f441 100644
--- a/src/cls/rbd/cls_rbd.cc
+++ b/src/cls/rbd/cls_rbd.cc
@@ -104,6 +104,7 @@ cls_method_handle_t h_old_snapshot_remove;
 #define RBD_SNAP_KEY_PREFIX "snapshot_"
 #define RBD_DIR_ID_KEY_PREFIX "id_"
 #define RBD_DIR_NAME_KEY_PREFIX "name_"
+#define RBD_MAX_OBJECT_MAP_OBJECT_COUNT 256000000
 
 static int snap_read_header(cls_method_context_t hctx, bufferlist& bl)
 {
@@ -1996,6 +1997,12 @@ int object_map_resize(cls_method_context_t hctx, bufferlist *in, bufferlist *out
     return -EINVAL;
   }
 
+  // protect against excessive memory requirements
+  if (object_count > RBD_MAX_OBJECT_MAP_OBJECT_COUNT) {
+    CLS_ERR("object map too large: %" PRIu64, object_count);
+    return -EINVAL;
+  }
+
   BitVector<2> object_map;
   int r = object_map_read(hctx, object_map);
   if ((r < 0) && (r != -ENOENT)) {
-- 
2.47.3