dlm: dlm_process_incoming_buffer() fixes
* check that length is large enough to cover the non-variable part of message or rcom resp. (after checking that it's large enough to cover the header, of course). * kill more pointless casts Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David Teigland <teigland@redhat.com>
This commit is contained in:
Al Viro
David Teigland
parent
8b0d8e03f8
commit
eef7d739c2
|
|
@ -403,6 +403,12 @@ struct dlm_rcom {
|
||||||
char rc_buf[0];
|
char rc_buf[0];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
union dlm_packet {
|
||||||
|
struct dlm_header header; /* common to other two */
|
||||||
|
struct dlm_message message;
|
||||||
|
struct dlm_rcom rcom;
|
||||||
|
};
|
||||||
|
|
||||||
struct rcom_config {
|
struct rcom_config {
|
||||||
uint32_t rf_lvblen;
|
uint32_t rf_lvblen;
|
||||||
uint32_t rf_lsflags;
|
uint32_t rf_lsflags;
|
||||||
|
|
|
||||||
|
|
@ -3822,21 +3822,20 @@ void dlm_receive_message_saved(struct dlm_ls *ls, struct dlm_message *ms)
|
||||||
standard locking activity) or an RCOM (recovery message sent as part of
|
standard locking activity) or an RCOM (recovery message sent as part of
|
||||||
lockspace recovery). */
|
lockspace recovery). */
|
||||||
|
|
||||||
void dlm_receive_buffer(struct dlm_header *hd, int nodeid)
|
void dlm_receive_buffer(union dlm_packet *p, int nodeid)
|
||||||
{
|
{
|
||||||
struct dlm_message *ms = (struct dlm_message *) hd;
|
struct dlm_header *hd = &p->header;
|
||||||
struct dlm_rcom *rc = (struct dlm_rcom *) hd;
|
|
||||||
struct dlm_ls *ls;
|
struct dlm_ls *ls;
|
||||||
int type = 0;
|
int type = 0;
|
||||||
|
|
||||||
switch (hd->h_cmd) {
|
switch (hd->h_cmd) {
|
||||||
case DLM_MSG:
|
case DLM_MSG:
|
||||||
dlm_message_in(ms);
|
dlm_message_in(&p->message);
|
||||||
type = ms->m_type;
|
type = p->message.m_type;
|
||||||
break;
|
break;
|
||||||
case DLM_RCOM:
|
case DLM_RCOM:
|
||||||
dlm_rcom_in(rc);
|
dlm_rcom_in(&p->rcom);
|
||||||
type = rc->rc_type;
|
type = p->rcom.rc_type;
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
log_print("invalid h_cmd %d from %u", hd->h_cmd, nodeid);
|
log_print("invalid h_cmd %d from %u", hd->h_cmd, nodeid);
|
||||||
|
|
@ -3856,7 +3855,7 @@ void dlm_receive_buffer(struct dlm_header *hd, int nodeid)
|
||||||
hd->h_lockspace, nodeid, hd->h_cmd, type);
|
hd->h_lockspace, nodeid, hd->h_cmd, type);
|
||||||
|
|
||||||
if (hd->h_cmd == DLM_RCOM && type == DLM_RCOM_STATUS)
|
if (hd->h_cmd == DLM_RCOM && type == DLM_RCOM_STATUS)
|
||||||
dlm_send_ls_not_ready(nodeid, rc);
|
dlm_send_ls_not_ready(nodeid, &p->rcom);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -3865,9 +3864,9 @@ void dlm_receive_buffer(struct dlm_header *hd, int nodeid)
|
||||||
|
|
||||||
down_read(&ls->ls_recv_active);
|
down_read(&ls->ls_recv_active);
|
||||||
if (hd->h_cmd == DLM_MSG)
|
if (hd->h_cmd == DLM_MSG)
|
||||||
dlm_receive_message(ls, ms, nodeid);
|
dlm_receive_message(ls, &p->message, nodeid);
|
||||||
else
|
else
|
||||||
dlm_receive_rcom(ls, rc, nodeid);
|
dlm_receive_rcom(ls, &p->rcom, nodeid);
|
||||||
up_read(&ls->ls_recv_active);
|
up_read(&ls->ls_recv_active);
|
||||||
|
|
||||||
dlm_put_lockspace(ls);
|
dlm_put_lockspace(ls);
|
||||||
|
|
|
||||||
|
|
@ -17,7 +17,7 @@ void dlm_print_rsb(struct dlm_rsb *r);
|
||||||
void dlm_dump_rsb(struct dlm_rsb *r);
|
void dlm_dump_rsb(struct dlm_rsb *r);
|
||||||
void dlm_print_lkb(struct dlm_lkb *lkb);
|
void dlm_print_lkb(struct dlm_lkb *lkb);
|
||||||
void dlm_receive_message_saved(struct dlm_ls *ls, struct dlm_message *ms);
|
void dlm_receive_message_saved(struct dlm_ls *ls, struct dlm_message *ms);
|
||||||
void dlm_receive_buffer(struct dlm_header *hd, int nodeid);
|
void dlm_receive_buffer(union dlm_packet *p, int nodeid);
|
||||||
int dlm_modes_compat(int mode1, int mode2);
|
int dlm_modes_compat(int mode1, int mode2);
|
||||||
void dlm_put_rsb(struct dlm_rsb *r);
|
void dlm_put_rsb(struct dlm_rsb *r);
|
||||||
void dlm_hold_rsb(struct dlm_rsb *r);
|
void dlm_hold_rsb(struct dlm_rsb *r);
|
||||||
|
|
|
||||||
|
|
@ -61,9 +61,9 @@ int dlm_process_incoming_buffer(int nodeid, const void *base,
|
||||||
union {
|
union {
|
||||||
unsigned char __buf[DLM_INBUF_LEN];
|
unsigned char __buf[DLM_INBUF_LEN];
|
||||||
/* this is to force proper alignment on some arches */
|
/* this is to force proper alignment on some arches */
|
||||||
struct dlm_header dlm;
|
union dlm_packet p;
|
||||||
} __tmp;
|
} __tmp;
|
||||||
struct dlm_header *msg = &__tmp.dlm;
|
union dlm_packet *p = &__tmp.p;
|
||||||
int ret = 0;
|
int ret = 0;
|
||||||
int err = 0;
|
int err = 0;
|
||||||
uint16_t msglen;
|
uint16_t msglen;
|
||||||
|
|
@ -75,15 +75,22 @@ int dlm_process_incoming_buffer(int nodeid, const void *base,
|
||||||
message may wrap around the end of the buffer back to the
|
message may wrap around the end of the buffer back to the
|
||||||
start, so we need to use a temp buffer and copy_from_cb. */
|
start, so we need to use a temp buffer and copy_from_cb. */
|
||||||
|
|
||||||
copy_from_cb(msg, base, offset, sizeof(struct dlm_header),
|
copy_from_cb(p, base, offset, sizeof(struct dlm_header),
|
||||||
limit);
|
limit);
|
||||||
|
|
||||||
msglen = le16_to_cpu(msg->h_length);
|
msglen = le16_to_cpu(p->header.h_length);
|
||||||
lockspace = msg->h_lockspace;
|
lockspace = p->header.h_lockspace;
|
||||||
|
|
||||||
err = -EINVAL;
|
err = -EINVAL;
|
||||||
if (msglen < sizeof(struct dlm_header))
|
if (msglen < sizeof(struct dlm_header))
|
||||||
break;
|
break;
|
||||||
|
if (p->header.h_cmd == DLM_MSG) {
|
||||||
|
if (msglen < sizeof(struct dlm_message))
|
||||||
|
break;
|
||||||
|
} else {
|
||||||
|
if (msglen < sizeof(struct dlm_rcom))
|
||||||
|
break;
|
||||||
|
}
|
||||||
err = -E2BIG;
|
err = -E2BIG;
|
||||||
if (msglen > dlm_config.ci_buffer_size) {
|
if (msglen > dlm_config.ci_buffer_size) {
|
||||||
log_print("message size %d from %d too big, buf len %d",
|
log_print("message size %d from %d too big, buf len %d",
|
||||||
|
|
@ -104,26 +111,26 @@ int dlm_process_incoming_buffer(int nodeid, const void *base,
|
||||||
in the buffer on the stack (which should work for most
|
in the buffer on the stack (which should work for most
|
||||||
ordinary messages). */
|
ordinary messages). */
|
||||||
|
|
||||||
if (msglen > DLM_INBUF_LEN && msg == &__tmp.dlm) {
|
if (msglen > sizeof(__tmp) && p == &__tmp.p) {
|
||||||
msg = kmalloc(dlm_config.ci_buffer_size, GFP_KERNEL);
|
p = kmalloc(dlm_config.ci_buffer_size, GFP_KERNEL);
|
||||||
if (msg == NULL)
|
if (p == NULL)
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
copy_from_cb(msg, base, offset, msglen, limit);
|
copy_from_cb(p, base, offset, msglen, limit);
|
||||||
|
|
||||||
BUG_ON(lockspace != msg->h_lockspace);
|
BUG_ON(lockspace != p->header.h_lockspace);
|
||||||
|
|
||||||
ret += msglen;
|
ret += msglen;
|
||||||
offset += msglen;
|
offset += msglen;
|
||||||
offset &= (limit - 1);
|
offset &= (limit - 1);
|
||||||
len -= msglen;
|
len -= msglen;
|
||||||
|
|
||||||
dlm_receive_buffer(msg, nodeid);
|
dlm_receive_buffer(p, nodeid);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (msg != &__tmp.dlm)
|
if (p != &__tmp.p)
|
||||||
kfree(msg);
|
kfree(p);
|
||||||
|
|
||||||
return err ? err : ret;
|
return err ? err : ret;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue