vfs_io_uring: protect vfs_io_uring_pwrite_completion() against invalid results

author Stefan Metzmacher <metze@samba.org>

Fri, 8 May 2020 09:38:56 +0000 (11:38 +0200)

committer Karolin Seeger <kseeger@samba.org>

Thu, 14 May 2020 07:25:46 +0000 (07:25 +0000)
author Stefan Metzmacher <metze@samba.org>
Fri, 8 May 2020 09:38:56 +0000 (11:38 +0200)
committer Karolin Seeger <kseeger@samba.org>
Thu, 14 May 2020 07:25:46 +0000 (07:25 +0000)
diff --git a/source3/modules/vfs_io_uring.c b/source3/modules/vfs_io_uring.c

index 46fab116e9de5cd80d34232eea4bbac8a4a7186b..0ea785aae857b5a96aaa0f3675fc3800da0740ae 100644 (file)
--- a/source3/modules/vfs_io_uring.c
+++ b/source3/modules/vfs_io_uring.c
@@ -601,6 +601,9 @@ static void vfs_io_uring_pwrite_completion(struct vfs_io_uring_request *cur,
  {
         struct vfs_io_uring_pwrite_state *state = tevent_req_data(
                 cur->req, struct vfs_io_uring_pwrite_state);
+       struct iovec *iov = &state->iov;
+       int num_iov = 1;
+       bool ok;
  
         /*
          * We rely on being inside the _send() function
@@ -614,6 +617,16 @@ static void vfs_io_uring_pwrite_completion(struct vfs_io_uring_request *cur,
                 return;
         }
  
+       ok = iov_advance(&iov, &num_iov, cur->cqe.res);
+       if (!ok) {
+               /* This is not expected! */
+               DBG_ERR("iov_advance() failed cur->cqe.res=%d > iov_len=%d\n",
+                       (int)cur->cqe.res,
+                       (int)state->iov.iov_len);
+               tevent_req_error(cur->req, EIO);
+               return;
+       }
+
         state->nwritten = state->ur.cqe.res;
         tevent_req_done(cur->req);
  }
author	Stefan Metzmacher <metze@samba.org>
	Fri, 8 May 2020 09:38:56 +0000 (11:38 +0200)
committer	Karolin Seeger <kseeger@samba.org>
	Thu, 14 May 2020 07:25:46 +0000 (07:25 +0000)