diff options
| author | Aurelien DESBRIERES <aurelien@hackers.camp> | 2026-06-08 16:47:15 +0300 |
|---|---|---|
| committer | Jason Gunthorpe <jgg@nvidia.com> | 2026-06-08 21:21:28 +0300 |
| commit | 54bf38b27afc08a0eb6b732f9c14eb8a4bcb66b5 (patch) | |
| tree | 86b141b726fa64017e14db687e52f06c8ecaaed5 /include/linux/errqueue.h | |
| parent | c9bf47d2051ad7e0520b2f8d509de11079d2bf41 (diff) | |
| download | linux-54bf38b27afc08a0eb6b732f9c14eb8a4bcb66b5.tar.xz | |
RDMA/rtrs-srv: Fix integer underflow in process_read and process_write
usr_len is read from a network-supplied message field (le16_to_cpu)
and used to compute data_len = off - usr_len without validating that
usr_len <= off. A malicious RDMA client can send usr_len > off causing
an integer underflow, resulting in data_len wrapping to a huge size_t
value which is then passed to the rdma_ev callback as a memory length,
leading to out-of-bounds memory access.
Fix by reading and validating usr_len <= off before rtrs_srv_get_ops_ids()
in both process_read() and process_write(), ensuring the early return
path acquires no reference and has no resource leak.
Link: https://patch.msgid.link/r/20260608134802.5019-1-aurelien@hackers.camp
Reported-by: Aurelien DESBRIERES <aurelien@hackers.camp>
Reviewed-by: Md Haris Iqbal <haris.iqbal@ionos.com>
Signed-off-by: Aurelien DESBRIERES <aurelien@hackers.camp>
Assisted-by: Claude <claude-sonnet-4-6>
Acked-by: Md Haris Iqbal <haris.iqbal@ionos.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Diffstat (limited to 'include/linux/errqueue.h')
0 files changed, 0 insertions, 0 deletions
