LU-12614 ldlm: ldlm_cancel_hpreq_check should check lock count

Make sure the number of locks we are going to cancel fits into
the supplied buffer first.
This is similar to LU-12603, just in a different place.

Change-Id: Ifa2aa976ce8613217c739ef609de54538c57b5e9
Signed-off-by: Oleg Drokin <green@whamcloud.com>
Reported-by: Alibaba Cloud <yunye.ry@alibaba-inc.com>
Reviewed-on: https://review.whamcloud.com/35807
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: Patrick Farrell <pfarrell@whamcloud.com>
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-by: Yunye Ry <yunye.ry@alibaba-inc.com>

diff --git a/lustre/ldlm/ldlm_lockd.c b/lustre/ldlm/ldlm_lockd.c
index 65509be..6fcc0a9 100644 (file)
--- a/lustre/ldlm/ldlm_lockd.c
+++ b/lustre/ldlm/ldlm_lockd.c
@@ -2507,6 +2507,7 @@ static int ldlm_cancel_hpreq_check(struct ptlrpc_request *req)
        struct ldlm_request *dlm_req;
        int rc = 0;
        int i;
+       unsigned int size;
 
        ENTRY;
 
@@ -2518,6 +2519,12 @@ static int ldlm_cancel_hpreq_check(struct ptlrpc_request *req)
        if (dlm_req == NULL)
                RETURN(-EFAULT);
 
+       size = req_capsule_get_size(&req->rq_pill, &RMF_DLM_REQ, RCL_CLIENT);
+       if (size <= offsetof(struct ldlm_request, lock_handle) ||
+           (size - offsetof(struct ldlm_request, lock_handle)) /
+            sizeof(struct lustre_handle) < dlm_req->lock_count)
+               RETURN(-EPROTO);
+
        for (i = 0; i < dlm_req->lock_count; i++) {
                struct ldlm_lock *lock;