On Wed, 2019-02-20 at 09:16 -0800, Darrick J. Wong wrote:
> From: Darrick J. Wong <darrick.wong@xxxxxxxxxx>
>
> We need to check the return value of copy_src_filesize and
> copy_dst_truncate because either could return -1 due to fstat/ftruncate
> failure.
Makes sense.
Reviewed-by: Anna Schumaker <Anna.Schumaker@xxxxxxxxxx>
>
> Fixes: 628e112afdd98c5 ("xfs_io: implement 'copy_range' command")
> Cc: schumaker.anna@xxxxxxxxx
> Signed-off-by: Darrick J. Wong <darrick.wong@xxxxxxxxxx>
> ---
> v2: fix return values and overflow problems
> ---
> io/copy_file_range.c | 17 +++++++++++++++--
> 1 file changed, 15 insertions(+), 2 deletions(-)
>
> diff --git a/io/copy_file_range.c b/io/copy_file_range.c
> index 4e2969c9..d069e5bb 100644
> --- a/io/copy_file_range.c
> +++ b/io/copy_file_range.c
> @@ -120,11 +120,24 @@ copy_range_f(int argc, char **argv)
> return 0;
>
> if (src == 0 && dst == 0 && len == 0) {
> - len = copy_src_filesize(fd);
> - copy_dst_truncate();
> + off64_t sz;
> +
> + sz = copy_src_filesize(fd);
> + if (sz < 0 || (unsigned long long)sz > SIZE_MAX) {
> + ret = 1;
> + goto out;
> + }
> + len = sz;
> +
> + ret = copy_dst_truncate();
> + if (ret < 0) {
> + ret = 1;
> + goto out;
> + }
> }
>
> ret = copy_file_range_cmd(fd, &src, &dst, len);
> +out:
> close(fd);
> return ret;
> }
