LU-12603 ldlm: Check cancel lock count for correctness

Make sure the number of locks we are going to cancel fits into
the supplied buffer first.

Change-Id: I93887133532bf7ee2be27114b1972aa64e06623c
Signed-off-by: Oleg Drokin <green@whamcloud.com>
Reported-by: Alibaba Cloud <yunye.ry@alibaba-inc.com>
Reviewed-on: https://review.whamcloud.com/35806
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-by: Yunye Ry <yunye.ry@alibaba-inc.com>

diff --git a/lustre/ldlm/ldlm_lockd.c b/lustre/ldlm/ldlm_lockd.c
index 6fcc0a9..cef3857 100644 (file)
--- a/lustre/ldlm/ldlm_lockd.c
+++ b/lustre/ldlm/ldlm_lockd.c
@@ -1673,9 +1673,16 @@ int ldlm_request_cancel(struct ptlrpc_request *req,
        struct ldlm_resource *res, *pres = NULL;
        struct ldlm_lock *lock;
        int i, count, done = 0;
+       unsigned int size;
 
        ENTRY;
 
+       size = req_capsule_get_size(&req->rq_pill, &RMF_DLM_REQ, RCL_CLIENT);
+       if (size <= offsetof(struct ldlm_request, lock_handle) ||
+           (size - offsetof(struct ldlm_request, lock_handle)) /
+            sizeof(struct lustre_handle) < dlm_req->lock_count)
+               RETURN(0);
+
        count = dlm_req->lock_count ? dlm_req->lock_count : 1;
        if (first >= count)
                RETURN(0);
@@ -1766,6 +1773,10 @@ int ldlm_handle_cancel(struct ptlrpc_request *req)
                RETURN(-EFAULT);
        }
 
+       if (req_capsule_get_size(&req->rq_pill, &RMF_DLM_REQ, RCL_CLIENT) <
+           offsetof(struct ldlm_request, lock_handle[1]))
+               RETURN(-EPROTO);
+
        if (req->rq_export && req->rq_export->exp_nid_stats &&
            req->rq_export->exp_nid_stats->nid_ldlm_stats)
                lprocfs_counter_incr(req->rq_export->exp_nid_stats->nid_ldlm_stats,