LU-12600 tgt: shortio size should be unsigned

The short_io_size value is accepting unsigned values from
req_capsule_get_size, and so needs to be unsigned as well.

If it's not, it's possible for the short_io_size memcopy to
act on an incorrect value and cause memory corruption.

Reported-by: Alibaba Cloud <yunye.ry@alibaba-inc.com>
Signed-off-by: Patrick Farrell <pfarrell@whamcloud.com>
Change-Id: I043e314cd43a7b40519f951a605fa5a36ff91dcf
Reviewed-on: https://review.whamcloud.com/35653
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-by: Sebastien Buisson <sbuisson@ddn.com>
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>

diff --git a/lustre/target/tgt_handler.c b/lustre/target/tgt_handler.c
index 2165de9..027b05d 100644 (file)
--- a/lustre/target/tgt_handler.c
+++ b/lustre/target/tgt_handler.c
@@ -2388,7 +2388,7 @@ out_lock:
 EXPORT_SYMBOL(tgt_brw_read);
 
 static int tgt_shortio2pages(struct niobuf_local *local, int npages,
-                            unsigned char *buf, int size)
+                            unsigned char *buf, unsigned int size)
 {
        int     i, off, len;
        char    *ptr;
@@ -2586,7 +2586,7 @@ int tgt_brw_write(struct tgt_session_info *tsi)
        if (rc < 0)
                GOTO(out_lock, rc);
        if (body->oa.o_flags & OBD_FL_SHORT_IO) {
-               int short_io_size;
+               unsigned int short_io_size;
                unsigned char *short_io_buf;
 
                short_io_size = req_capsule_get_size(&req->rq_pill,