From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 8 May 2020 09:38:56 +0000 (+0200)
Subject: vfs_io_uring: protect vfs_io_uring_pwrite_completion() against invalid results
X-Git-Tag: ldb-2.2.0~523
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=283f96872237517f0b3bc4e63e8d3c482ecd5fa4;p=thirdparty%2Fsamba.git

vfs_io_uring: protect vfs_io_uring_pwrite_completion() against invalid results

We should never get more acked than we asked for.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14361

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
---

diff --git a/source3/modules/vfs_io_uring.c b/source3/modules/vfs_io_uring.c
index 46fab116e9d..0ea785aae85 100644
--- a/source3/modules/vfs_io_uring.c
+++ b/source3/modules/vfs_io_uring.c
@@ -601,6 +601,9 @@ static void vfs_io_uring_pwrite_completion(struct vfs_io_uring_request *cur,
 {
 	struct vfs_io_uring_pwrite_state *state = tevent_req_data(
 		cur->req, struct vfs_io_uring_pwrite_state);
+	struct iovec *iov = &state->iov;
+	int num_iov = 1;
+	bool ok;
 
 	/*
 	 * We rely on being inside the _send() function
@@ -614,6 +617,16 @@ static void vfs_io_uring_pwrite_completion(struct vfs_io_uring_request *cur,
 		return;
 	}
 
+	ok = iov_advance(&iov, &num_iov, cur->cqe.res);
+	if (!ok) {
+		/* This is not expected! */
+		DBG_ERR("iov_advance() failed cur->cqe.res=%d > iov_len=%d\n",
+			(int)cur->cqe.res,
+			(int)state->iov.iov_len);
+		tevent_req_error(cur->req, EIO);
+		return;
+	}
+
 	state->nwritten = state->ur.cqe.res;
 	tevent_req_done(cur->req);
 }