summaryrefslogtreecommitdiff
path: root/include/linux
diff options
context:
space:
mode:
authorAurelien DESBRIERES <aurelien@hackers.camp>2026-06-08 16:47:15 +0300
committerJason Gunthorpe <jgg@nvidia.com>2026-06-08 21:21:28 +0300
commit54bf38b27afc08a0eb6b732f9c14eb8a4bcb66b5 (patch)
tree86b141b726fa64017e14db687e52f06c8ecaaed5 /include/linux
parentc9bf47d2051ad7e0520b2f8d509de11079d2bf41 (diff)
downloadlinux-54bf38b27afc08a0eb6b732f9c14eb8a4bcb66b5.tar.xz
RDMA/rtrs-srv: Fix integer underflow in process_read and process_write
usr_len is read from a network-supplied message field (le16_to_cpu) and used to compute data_len = off - usr_len without validating that usr_len <= off. A malicious RDMA client can send usr_len > off causing an integer underflow, resulting in data_len wrapping to a huge size_t value which is then passed to the rdma_ev callback as a memory length, leading to out-of-bounds memory access. Fix by reading and validating usr_len <= off before rtrs_srv_get_ops_ids() in both process_read() and process_write(), ensuring the early return path acquires no reference and has no resource leak. Link: https://patch.msgid.link/r/20260608134802.5019-1-aurelien@hackers.camp Reported-by: Aurelien DESBRIERES <aurelien@hackers.camp> Reviewed-by: Md Haris Iqbal <haris.iqbal@ionos.com> Signed-off-by: Aurelien DESBRIERES <aurelien@hackers.camp> Assisted-by: Claude <claude-sonnet-4-6> Acked-by: Md Haris Iqbal <haris.iqbal@ionos.com> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Diffstat (limited to 'include/linux')
0 files changed, 0 insertions, 0 deletions