Commit 596f9129 authored Apr 24, 2026 by Raphael Zimmer Committed by Ilya Dryomov May 11, 2026

libceph: Fix unnecessarily high ceph_decode_need() for uniform bucket



In crush_decode_uniform_bucket(), the item_weight field of the bucket
is set. This is a single field of type u32 since the uniform bucket uses
the same weight for all items. The value in ceph_decode_need() is set to
(1+b->h.size) * sizeof(u32), which is higher than actually needed.

This patch removes the call to ceph_decode_need() with the unnecessarily
high value and switches the subsequent operation from ceph_decode_32()
to ceph_decode_32_safe(), which already includes the correct bounds
check.

Signed-off-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>

parent 4c79fc2d

net/ceph/osdmap.c

+1 −2

Original line number	Diff line number	Diff line
		@@ -72,8 +72,7 @@ static int crush_decode_uniform_bucket(void *p, void end,
		struct crush_bucket_uniform *b)
		{
		dout("crush_decode_uniform_bucket %p to %p\n", *p, end);
		ceph_decode_need(p, end, (1+b->h.size) * sizeof(u32), bad);
		b->item_weight = ceph_decode_32(p);
		ceph_decode_32_safe(p, end, b->item_weight, bad);
		return 0;
		bad:
		return -EINVAL;