diff options
| author | Guangguan Wang <guangguan.wang@linux.alibaba.com> | 2024-12-11 17:21:20 +0800 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2024-12-15 12:34:59 +0000 |
| commit | 9ab332deb671d8f7e66d82a2ff2b3f715bc3a4ad (patch) | |
| tree | 167b6df5cefbcfa41048ad2a79f4fdb919aa1b82 /net/smc/smc_clc.h | |
| parent | 7863c9f3d24ba49dbead7e03dfbe40deb5888fdf (diff) | |
net/smc: check smcd_v2_ext_offset when receiving proposal msg
When receiving proposal msg in server, the field smcd_v2_ext_offset in
proposal msg is from the remote client and can not be fully trusted.
Once the value of smcd_v2_ext_offset exceed the max value, there has
the chance to access wrong address, and crash may happen.
This patch checks the value of smcd_v2_ext_offset before using it.
Fixes: 5c21c4ccafe8 ("net/smc: determine accepted ISM devices")
Signed-off-by: Guangguan Wang <guangguan.wang@linux.alibaba.com>
Reviewed-by: Wen Gu <guwen@linux.alibaba.com>
Reviewed-by: D. Wythe <alibuda@linux.alibaba.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/smc/smc_clc.h')
| -rw-r--r-- | net/smc/smc_clc.h | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/net/smc/smc_clc.h b/net/smc/smc_clc.h index 23afa4df862e..767289925410 100644 --- a/net/smc/smc_clc.h +++ b/net/smc/smc_clc.h @@ -400,9 +400,15 @@ smc_get_clc_v2_ext(struct smc_clc_msg_proposal *prop) static inline struct smc_clc_smcd_v2_extension * smc_get_clc_smcd_v2_ext(struct smc_clc_v2_extension *prop_v2ext) { + u16 max_offset = offsetof(struct smc_clc_msg_proposal_area, pclc_smcd_v2_ext) - + offsetof(struct smc_clc_msg_proposal_area, pclc_v2_ext) - + offsetof(struct smc_clc_v2_extension, hdr) - + offsetofend(struct smc_clnt_opts_area_hdr, smcd_v2_ext_offset); + if (!prop_v2ext) return NULL; - if (!ntohs(prop_v2ext->hdr.smcd_v2_ext_offset)) + if (!ntohs(prop_v2ext->hdr.smcd_v2_ext_offset) || + ntohs(prop_v2ext->hdr.smcd_v2_ext_offset) > max_offset) return NULL; return (struct smc_clc_smcd_v2_extension *) |