LU-12602 mdt: more EA size check in mdt_getxattr_pack_reply()

While the RMF_EAVALS field size can be arbitrary length,
the RMF_EAVALS_LENS field definition specifies
the RMF_F_STRUCT_ARRAY flag, so the passed size must be a multiple
of sizeof(__u32) or the internal LBUG() will trigger.

Signed-off-by: Emoly Liu <emoly@whamcloud.com>
Change-Id: I767e1b1496298e9a66274fc324f9c34daaed4a09
Reviewed-on: https://review.whamcloud.com/36103
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: Patrick Farrell <pfarrell@whamcloud.com>

diff --git a/lustre/mdt/mdt_xattr.c b/lustre/mdt/mdt_xattr.c
index 4c362a3..82d94c7 100644 (file)
--- a/lustre/mdt/mdt_xattr.c
+++ b/lustre/mdt/mdt_xattr.c
@@ -97,9 +97,11 @@ static int mdt_getxattr_pack_reply(struct mdt_thread_info * info)
                /* We could calculate accurate sizes, but this would
                 * introduce a lot of overhead, let's do it later... */
                size = info->mti_body->mbo_eadatasize;
-               if (size <= 0 || size > info->mti_mdt->mdt_max_ea_size) {
-                       CERROR("%s: invalid EA size(%d) for FLXATTRALL\n",
-                              mdt_obd_name(info->mti_mdt), size);
+               if (size <= 0 || size > info->mti_mdt->mdt_max_ea_size ||
+                   size & (sizeof(__u32) - 1)) {
+                       DEBUG_REQ(D_ERROR, req,
+                                 "%s: invalid EA size(%d) for FLXATTRALL\n",
+                                 mdt_obd_name(info->mti_mdt), size);
                        RETURN(-EINVAL);
                }
                req_capsule_set_size(pill, &RMF_EAVALS, RCL_SERVER, size);