libceph: skip message if too big to receive
We know the length of our message buffers. If we get a message
that's too long, just dump it and ignore it. If skip was set
then con->in_msg won't be valid, so be careful not to dereference
a null pointer in the process.
This resolves:
http://tracker.ceph.com/issues/4664
Signed-off-by: Alex Elder <elder@inktank.com>
Reviewed-by: Josh Durgin <josh.durgin@inktank.com>
This commit is contained in:
Alex Elder
Sage Weil
@@ -2207,10 +2207,18 @@ static int read_partial_message(struct ceph_connection *con)
|
|||||||
ret = ceph_con_in_msg_alloc(con, &skip);
|
ret = ceph_con_in_msg_alloc(con, &skip);
|
||||||
if (ret < 0)
|
if (ret < 0)
|
||||||
return ret;
|
return ret;
|
||||||
|
|
||||||
|
BUG_ON(!con->in_msg ^ skip);
|
||||||
|
if (con->in_msg && data_len > con->in_msg->data_length) {
|
||||||
|
pr_warning("%s skipping long message (%u > %zd)\n",
|
||||||
|
__func__, data_len, con->in_msg->data_length);
|
||||||
|
ceph_msg_put(con->in_msg);
|
||||||
|
con->in_msg = NULL;
|
||||||
|
skip = 1;
|
||||||
|
}
|
||||||
if (skip) {
|
if (skip) {
|
||||||
/* skip this message */
|
/* skip this message */
|
||||||
dout("alloc_msg said skip message\n");
|
dout("alloc_msg said skip message\n");
|
||||||
BUG_ON(con->in_msg);
|
|
||||||
con->in_base_pos = -front_len - middle_len - data_len -
|
con->in_base_pos = -front_len - middle_len - data_len -
|
||||||
sizeof(m->footer);
|
sizeof(m->footer);
|
||||||
con->in_tag = CEPH_MSGR_TAG_READY;
|
con->in_tag = CEPH_MSGR_TAG_READY;
|
||||||
|
|||||||
Reference in New Issue
Block a user