crush: ensure bucket id is valid before indexing buckets array

We were indexing the buckets array without verifying the index was
within the [0,max_buckets) range.  This could happen because
a multistep rule does not have enough buckets and has CRUSH_ITEM_NONE
for an intermediate result, which would feed in CRUSH_ITEM_NONE and
make us crash.

Reflects ceph.git commit 976a24a326da8931e689ee22fce35feab5b67b76.

Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Sage Weil <sage@redhat.com>
This commit is contained in:
Ilya Dryomov 2016-01-31 14:35:59 +01:00
parent db6aed7023
commit f224a6915f
1 changed files with 10 additions and 2 deletions

View File

@ -888,6 +888,7 @@ int crush_do_rule(const struct crush_map *map,
osize = 0;
for (i = 0; i < wsize; i++) {
int bno;
/*
* see CRUSH_N, CRUSH_N_MINUS macros.
* basically, numrep <= 0 means relative to
@ -900,6 +901,13 @@ int crush_do_rule(const struct crush_map *map,
continue;
}
j = 0;
/* make sure bucket id is valid */
bno = -1 - w[i];
if (bno < 0 || bno >= map->max_buckets) {
/* w[i] is probably CRUSH_ITEM_NONE */
dprintk(" bad w[i] %d\n", w[i]);
continue;
}
if (firstn) {
int recurse_tries;
if (choose_leaf_tries)
@ -911,7 +919,7 @@ int crush_do_rule(const struct crush_map *map,
recurse_tries = choose_tries;
osize += crush_choose_firstn(
map,
map->buckets[-1-w[i]],
map->buckets[bno],
weight, weight_max,
x, numrep,
curstep->arg2,
@ -930,7 +938,7 @@ int crush_do_rule(const struct crush_map *map,
numrep : (result_max-osize));
crush_choose_indep(
map,
map->buckets[-1-w[i]],
map->buckets[bno],
weight, weight_max,
x, out_size, numrep,
curstep->arg2,