From 1ceae7ef0fd00c965a2257c6e9eb497ca91f01c7 Mon Sep 17 00:00:00 2001
From: Alex Elder <elder@inktank.com>
Date: Wed, 6 Feb 2013 13:11:38 -0600
Subject: [PATCH] rbd: prevent bytes transferred overflow

In rbd_obj_read_sync(), verify the number of bytes transferred won't
exceed what can be represented by a size_t before using it to
indicate the number of bytes to copy to the result buffer.

(The real motivation for this is to prepare for the next patch.)

Signed-off-by: Alex Elder <elder@inktank.com>
Reviewed-by: Josh Durgin <josh.durgin@inktank.com>
---
 drivers/block/rbd.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
index 09514d9d8a97..93369a1a08e1 100644
--- a/drivers/block/rbd.c
+++ b/drivers/block/rbd.c
@@ -2048,6 +2048,7 @@ static int rbd_obj_read_sync(struct rbd_device *rbd_dev,
 	struct ceph_osd_client *osdc;
 	struct page **pages = NULL;
 	u32 page_count;
+	size_t size;
 	int ret;
 
 	page_count = (u32) calc_pages_for(offset, length);
@@ -2084,7 +2085,10 @@ static int rbd_obj_read_sync(struct rbd_device *rbd_dev,
 	ret = obj_request->result;
 	if (ret < 0)
 		goto out;
-	ret = ceph_copy_from_page_vector(pages, buf, 0, obj_request->xferred);
+
+	rbd_assert(obj_request->xferred <= (u64) SIZE_MAX);
+	size = (size_t) obj_request->xferred;
+	ret = ceph_copy_from_page_vector(pages, buf, 0, size);
 	if (version)
 		*version = obj_request->version;
 out:
-- 
2.34.1