From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 8 May 2020 09:38:56 +0000 (+0200)
Subject: vfs_io_uring: protect vfs_io_uring_pread_completion() against invalid results
X-Git-Tag: ldb-2.2.0~524
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f085dbf8b2bed2695e0065a5bf4523232cb532c7;p=thirdparty%2Fsamba.git

vfs_io_uring: protect vfs_io_uring_pread_completion() against invalid results

We should never get back more than we asked for.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14361

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
---

diff --git a/source3/modules/vfs_io_uring.c b/source3/modules/vfs_io_uring.c
index 3e004f48aa0..46fab116e9d 100644
--- a/source3/modules/vfs_io_uring.c
+++ b/source3/modules/vfs_io_uring.c
@@ -26,6 +26,7 @@
 #include "smbd/globals.h"
 #include "lib/util/tevent_unix.h"
 #include "lib/util/sys_rw.h"
+#include "lib/util/iov_buf.h"
 #include "smbprofile.h"
 #include <liburing.h>
 
@@ -472,6 +473,9 @@ static void vfs_io_uring_pread_completion(struct vfs_io_uring_request *cur,
 {
 	struct vfs_io_uring_pread_state *state = tevent_req_data(
 		cur->req, struct vfs_io_uring_pread_state);
+	struct iovec *iov = &state->iov;
+	int num_iov = 1;
+	bool ok;
 
 	/*
 	 * We rely on being inside the _send() function
@@ -485,6 +489,16 @@ static void vfs_io_uring_pread_completion(struct vfs_io_uring_request *cur,
 		return;
 	}
 
+	ok = iov_advance(&iov, &num_iov, cur->cqe.res);
+	if (!ok) {
+		/* This is not expected! */
+		DBG_ERR("iov_advance() failed cur->cqe.res=%d > iov_len=%d\n",
+			(int)cur->cqe.res,
+			(int)state->iov.iov_len);
+		tevent_req_error(cur->req, EIO);
+		return;
+	}
+
 	state->nread = state->ur.cqe.res;
 	tevent_req_done(cur->req);
 }