libceph: skip message if too big to receive

We know the length of our message buffers.  If we get a message
that's too long, just dump it and ignore it.  If skip was set
then con->in_msg won't be valid, so be careful not to dereference
a null pointer in the process.

This resolves:
    http://tracker.ceph.com/issues/4664

Signed-off-by: Alex Elder <elder@inktank.com>
Reviewed-by: Josh Durgin <josh.durgin@inktank.com>

diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
index 994192beda024de065295a65361bd635d1242113..cb5b4e6733f0b0027eb817c9826db71025918bc3 100644 (file)
--- a/net/ceph/messenger.c
+++ b/net/ceph/messenger.c
@@ -2207,10 +2207,18 @@ static int read_partial_message(struct ceph_connection *con)
                ret = ceph_con_in_msg_alloc(con, &skip);
                if (ret < 0)
                        return ret;
+
+               BUG_ON(!con->in_msg ^ skip);
+               if (con->in_msg && data_len > con->in_msg->data_length) {
+                       pr_warning("%s skipping long message (%u > %zd)\n",
+                               __func__, data_len, con->in_msg->data_length);
+                       ceph_msg_put(con->in_msg);
+                       con->in_msg = NULL;
+                       skip = 1;
+               }
                if (skip) {
                        /* skip this message */
                        dout("alloc_msg said skip message\n");
-                       BUG_ON(con->in_msg);
                        con->in_base_pos = -front_len - middle_len - data_len -
                                sizeof(m->footer);
                        con->in_tag = CEPH_MSGR_TAG_READY;