diff options
| author | Guangguan Wang <guangguan.wang@linux.alibaba.com> | 2024-12-11 17:21:19 +0800 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2024-12-15 12:34:59 +0000 |
| commit | 7863c9f3d24ba49dbead7e03dfbe40deb5888fdf (patch) | |
| tree | 0fe20df09d2b7fcaa6aca7b01731fb8f23261c50 /net/smc/smc_clc.h | |
| parent | a29e220d3c8edbf0e1beb0f028878a4a85966556 (diff) | |
net/smc: check v2_ext_offset/eid_cnt/ism_gid_cnt when receiving proposal msg
When receiving proposal msg in server, the fields v2_ext_offset/
eid_cnt/ism_gid_cnt in proposal msg are from the remote client
and can not be fully trusted. Especially the field v2_ext_offset,
once exceed the max value, there has the chance to access wrong
address, and crash may happen.
This patch checks the fields v2_ext_offset/eid_cnt/ism_gid_cnt
before using them.
Fixes: 8c3dca341aea ("net/smc: build and send V2 CLC proposal")
Signed-off-by: Guangguan Wang <guangguan.wang@linux.alibaba.com>
Reviewed-by: Wen Gu <guwen@linux.alibaba.com>
Reviewed-by: D. Wythe <alibuda@linux.alibaba.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/smc/smc_clc.h')
| -rw-r--r-- | net/smc/smc_clc.h | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/net/smc/smc_clc.h b/net/smc/smc_clc.h index ac8de6a177fa..23afa4df862e 100644 --- a/net/smc/smc_clc.h +++ b/net/smc/smc_clc.h @@ -380,8 +380,14 @@ static inline struct smc_clc_v2_extension * smc_get_clc_v2_ext(struct smc_clc_msg_proposal *prop) { struct smc_clc_msg_smcd *prop_smcd = smc_get_clc_msg_smcd(prop); + u16 max_offset; - if (!prop_smcd || !ntohs(prop_smcd->v2_ext_offset)) + max_offset = offsetof(struct smc_clc_msg_proposal_area, pclc_v2_ext) - + offsetof(struct smc_clc_msg_proposal_area, pclc_smcd) - + offsetofend(struct smc_clc_msg_smcd, v2_ext_offset); + + if (!prop_smcd || !ntohs(prop_smcd->v2_ext_offset) || + ntohs(prop_smcd->v2_ext_offset) > max_offset) return NULL; return (struct smc_clc_v2_extension *) |