[PATCH] ceph: bound encrypted snapshot suffix formatting

[Pengpeng Hou]

`ceph_encode_encrypted_dname()` base64-encodes the encrypted snapshot
name into the caller buffer and then, for long snapshot names, appends
`_<ino>` with `sprintf(p + elen, ...)`.

Some callers only provide `NAME_MAX` bytes. For long snapshot names, the
returned length also includes the leading underscore that stays in place
ahead of the encoded text. On 64-bit kernels, a long inode suffix can
push the final encoded name past `NAME_MAX` even though the encrypted
prefix itself stayed within the documented 240-byte budget.

Format the suffix into a small local buffer first and reject names whose
suffix would exceed the caller's `NAME_MAX` output buffer.

Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>
---
 fs/ceph/crypto.c | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/fs/ceph/crypto.c b/fs/ceph/crypto.c
index f3de43ccb470..eeba8ffb0554 100644
--- a/fs/ceph/crypto.c
+++ b/fs/ceph/crypto.c
@@ -208,6 +208,7 @@ int ceph_encode_encrypted_dname(struct inode *parent, char *buf, int elen)
 	struct ceph_client *cl = ceph_inode_to_client(parent);
 	struct inode *dir = parent;
 	char *p = buf;
+	char suffix[1 + 20 + 1];
 	u32 len;
 	int name_len = elen;
 	int ret;
@@ -271,8 +272,20 @@ int ceph_encode_encrypted_dname(struct inode *parent, char *buf, int elen)
 
 	/* To understand the 240 limit, see CEPH_NOHASH_NAME_MAX comments */
 	WARN_ON(elen > 240);
-	if (dir != parent) // leading _ is already there; append _<inum>
-		elen += 1 + sprintf(p + elen, "_%ld", dir->i_ino);
+	if (dir != parent) { // leading _ is already there; append _<inum>
+		ret = snprintf(suffix, sizeof(suffix), "_%lu", dir->i_ino);
+		if (ret < 0) {
+			elen = ret;
+			goto out;
+		}
+		if (ret >= NAME_MAX - elen) {
+			elen = -ENAMETOOLONG;
+			goto out;
+		}
+
+		memcpy(p + elen, suffix, ret);
+		elen += ret + 1;
+	}
 
 out:
 	kfree(cryptbuf);
-- 
2.50.1 (Apple Git-155)