dlm: dlm_process_incoming_buffer() fixes

* check that length is large enough to cover the non-variable part of message or rcom resp. (after checking that it's large enough to cover the header, of course). * kill more pointless casts Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David Teigland <teigland@redhat.com>

dlm: dlm_process_incoming_buffer() fixes
* check that length is large enough to cover the non-variable part of message or rcom resp. (after checking that it's large enough to cover the header, of course). * kill more pointless casts Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David Teigland <teigland@redhat.com>
eef7d739 · Al Viro · David Teigland · 8b0d8e03 · eef7d739 · eef7d739
Commit eef7d739 authored Jan 25, 2008 by Al Viro Committed by David Teigland Feb 04, 2008
Show whitespace changes
Inline Side-by-side

Showing with 36 additions and 24 deletions

fs/dlm/dlm_internal.h fs/dlm/dlm_internal.h +6 -0

fs/dlm/lock.c fs/dlm/lock.c +9 -10

fs/dlm/lock.h fs/dlm/lock.h +1 -1

fs/dlm/midcomms.c fs/dlm/midcomms.c +20 -13

No files found.
--- a/fs/dlm/dlm_internal.h
+++ b/fs/dlm/dlm_internal.h
@@ -403,6 +403,12 @@ struct dlm_rcom {
 	char			rc_buf[0];
 };
+union dlm_packet {
+	struct dlm_header	header;		/* common to other two */
+	struct dlm_message	message;
+	struct dlm_rcom		rcom;
+};
 struct rcom_config {
 	uint32_t		rf_lvblen;
 	uint32_t		rf_lsflags;

--- a/fs/dlm/lock.c
+++ b/fs/dlm/lock.c
@@ -3822,21 +3822,20 @@ void dlm_receive_message_saved(struct dlm_ls *ls, struct dlm_message *ms)
   standard locking activity) or an RCOM (recovery message sent as part of
   lockspace recovery). */
-void dlm_receive_buffer(struct dlm_header *hd, int nodeid)
+void dlm_receive_buffer(union dlm_packet *p, int nodeid)
 {
-	struct dlm_message *ms = (struct dlm_message *) hd;
+	struct dlm_header *hd = &p->header;
-	struct dlm_rcom *rc = (struct dlm_rcom *) hd;
 	struct dlm_ls *ls;
 	int type = 0;
 	switch (hd->h_cmd) {
 	case DLM_MSG:
-		dlm_message_in(ms);
+		dlm_message_in(&p->message);
-		type = ms->m_type;
+		type = p->message.m_type;
 		break;
 	case DLM_RCOM:
-		dlm_rcom_in(rc);
+		dlm_rcom_in(&p->rcom);
-		type = rc->rc_type;
+		type = p->rcom.rc_type;
 		break;
 	default:
 		log_print("invalid h_cmd %d from %u", hd->h_cmd, nodeid);
@@ -3856,7 +3855,7 @@ void dlm_receive_buffer(struct dlm_header *hd, int nodeid)
 				  hd->h_lockspace, nodeid, hd->h_cmd, type);
 		if (hd->h_cmd == DLM_RCOM && type == DLM_RCOM_STATUS)
-			dlm_send_ls_not_ready(nodeid, rc);
+			dlm_send_ls_not_ready(nodeid, &p->rcom);
 		return;
 	}
@@ -3865,9 +3864,9 @@ void dlm_receive_buffer(struct dlm_header *hd, int nodeid)
 	down_read(&ls->ls_recv_active);
 	if (hd->h_cmd == DLM_MSG)
-		dlm_receive_message(ls, ms, nodeid);
+		dlm_receive_message(ls, &p->message, nodeid);
 	else
-		dlm_receive_rcom(ls, rc, nodeid);
+		dlm_receive_rcom(ls, &p->rcom, nodeid);
 	up_read(&ls->ls_recv_active);
 	dlm_put_lockspace(ls);

--- a/fs/dlm/lock.h
+++ b/fs/dlm/lock.h
@@ -17,7 +17,7 @@ void dlm_print_rsb(struct dlm_rsb *r);
 void dlm_dump_rsb(struct dlm_rsb *r);
 void dlm_print_lkb(struct dlm_lkb *lkb);
 void dlm_receive_message_saved(struct dlm_ls *ls, struct dlm_message *ms);
-void dlm_receive_buffer(struct dlm_header *hd, int nodeid);
+void dlm_receive_buffer(union dlm_packet *p, int nodeid);
 int dlm_modes_compat(int mode1, int mode2);
 void dlm_put_rsb(struct dlm_rsb *r);
 void dlm_hold_rsb(struct dlm_rsb *r);

--- a/fs/dlm/midcomms.c
+++ b/fs/dlm/midcomms.c
@@ -61,9 +61,9 @@ int dlm_process_incoming_buffer(int nodeid, const void *base,
 	union {
 		unsigned char __buf[DLM_INBUF_LEN];
 		/* this is to force proper alignment on some arches */
-		struct dlm_header dlm;
+		union dlm_packet p;
 	} __tmp;
-	struct dlm_header *msg = &__tmp.dlm;
+	union dlm_packet *p = &__tmp.p;
 	int ret = 0;
 	int err = 0;
 	uint16_t msglen;
@@ -75,15 +75,22 @@ int dlm_process_incoming_buffer(int nodeid, const void *base,
 		   message may wrap around the end of the buffer back to the
 		   start, so we need to use a temp buffer and copy_from_cb. */
-		copy_from_cb(msg, base, offset, sizeof(struct dlm_header),
+		copy_from_cb(p, base, offset, sizeof(struct dlm_header),
 			     limit);
-		msglen = le16_to_cpu(msg->h_length);
+		msglen = le16_to_cpu(p->header.h_length);
-		lockspace = msg->h_lockspace;
+		lockspace = p->header.h_lockspace;
 		err = -EINVAL;
 		if (msglen < sizeof(struct dlm_header))
 			break;
+		if (p->header.h_cmd == DLM_MSG) {
+			if (msglen < sizeof(struct dlm_message))
+				break;
+		} else {
+			if (msglen < sizeof(struct dlm_rcom))
+				break;
+		}
 		err = -E2BIG;
 		if (msglen > dlm_config.ci_buffer_size) {
 			log_print("message size %d from %d too big, buf len %d",
@@ -104,26 +111,26 @@ int dlm_process_incoming_buffer(int nodeid, const void *base,
 		   in the buffer on the stack (which should work for most
 		   ordinary messages). */
-		if (msglen > DLM_INBUF_LEN && msg == &__tmp.dlm) {
+		if (msglen > sizeof(__tmp) && p == &__tmp.p) {
-			msg = kmalloc(dlm_config.ci_buffer_size, GFP_KERNEL);
+			p = kmalloc(dlm_config.ci_buffer_size, GFP_KERNEL);
-			if (msg == NULL)
+			if (p == NULL)
 				return ret;
 		}
-		copy_from_cb(msg, base, offset, msglen, limit);
+		copy_from_cb(p, base, offset, msglen, limit);
-		BUG_ON(lockspace != msg->h_lockspace);
+		BUG_ON(lockspace != p->header.h_lockspace);
 		ret += msglen;
 		offset += msglen;
 		offset &= (limit - 1);
 		len -= msglen;
-		dlm_receive_buffer(msg, nodeid);
+		dlm_receive_buffer(p, nodeid);
 	}
-	if (msg != &__tmp.dlm)
+	if (p != &__tmp.p)
-		kfree(msg);
+		kfree(p);
 	return err ? err : ret;
 }