tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

net/smc: check smcd_v2_ext_offset when receiving proposal msg

When receiving proposal msg in server, the field smcd_v2_ext_offset in
proposal msg is from the remote client and can not be fully trusted.
Once the value of smcd_v2_ext_offset exceed the max value, there has
the chance to access wrong address, and crash may happen.

This patch checks the value of smcd_v2_ext_offset before using it.

Fixes: 5c21c4ccafe8 ("net/smc: determine accepted ISM devices")
Signed-off-by: Guangguan Wang <guangguan.wang@linux.alibaba.com>
Reviewed-by: Wen Gu <guwen@linux.alibaba.com>
Reviewed-by: D. Wythe <alibuda@linux.alibaba.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Guangguan Wang and committed by
David S. Miller 9ab332de 7863c9f3

+9 -1
+2
net/smc/af_smc.c
··· 2147 2147 pclc_smcd = smc_get_clc_msg_smcd(pclc); 2148 2148 smc_v2_ext = smc_get_clc_v2_ext(pclc); 2149 2149 smcd_v2_ext = smc_get_clc_smcd_v2_ext(smc_v2_ext); 2150 + if (!pclc_smcd || !smc_v2_ext || !smcd_v2_ext) 2151 + goto not_found; 2150 2152 2151 2153 mutex_lock(&smcd_dev_list.mutex); 2152 2154 if (pclc_smcd->ism.chid) {
+7 -1
net/smc/smc_clc.h
··· 400 400 static inline struct smc_clc_smcd_v2_extension * 401 401 smc_get_clc_smcd_v2_ext(struct smc_clc_v2_extension *prop_v2ext) 402 402 { 403 + u16 max_offset = offsetof(struct smc_clc_msg_proposal_area, pclc_smcd_v2_ext) - 404 + offsetof(struct smc_clc_msg_proposal_area, pclc_v2_ext) - 405 + offsetof(struct smc_clc_v2_extension, hdr) - 406 + offsetofend(struct smc_clnt_opts_area_hdr, smcd_v2_ext_offset); 407 + 403 408 if (!prop_v2ext) 404 409 return NULL; 405 - if (!ntohs(prop_v2ext->hdr.smcd_v2_ext_offset)) 410 + if (!ntohs(prop_v2ext->hdr.smcd_v2_ext_offset) || 411 + ntohs(prop_v2ext->hdr.smcd_v2_ext_offset) > max_offset) 406 412 return NULL; 407 413 408 414 return (struct smc_clc_smcd_v2_extension *)