diff options
| author |   Guangguan Wang <guangguan.wang@linux.alibaba.com> | 2024-12-11 17:21:19 +0800 |
|---|---|---|
| committer |   David S. Miller <davem@davemloft.net> | 2024-12-15 12:34:59 +0000 |
| commit | 7863c9f3d24ba49dbead7e03dfbe40deb5888fdf (patch) | |
| tree | 0fe20df09d2b7fcaa6aca7b01731fb8f23261c50 /net/smc/af_smc.c | |
| parent | net/smc: check iparea_offset and ipv6_prefixes_cnt when receiving proposal msg (diff) | |
| download | wireguard-linux-7863c9f3d24ba49dbead7e03dfbe40deb5888fdf.tar.xz wireguard-linux-7863c9f3d24ba49dbead7e03dfbe40deb5888fdf.zip | |
net/smc: check v2_ext_offset/eid_cnt/ism_gid_cnt when receiving proposal msg
When receiving proposal msg in server, the fields v2_ext_offset/
eid_cnt/ism_gid_cnt in proposal msg are from the remote client
and can not be fully trusted. Especially the field v2_ext_offset,
once exceed the max value, there has the chance to access wrong
address, and crash may happen.
This patch checks the fields v2_ext_offset/eid_cnt/ism_gid_cnt
before using them.
Fixes: 8c3dca341aea ("net/smc: build and send V2 CLC proposal")
Signed-off-by: Guangguan Wang <guangguan.wang@linux.alibaba.com>
Reviewed-by: Wen Gu <guwen@linux.alibaba.com>
Reviewed-by: D. Wythe <alibuda@linux.alibaba.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/smc/af_smc.c')
| -rw-r--r-- | net/smc/af_smc.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c index 9a74c9693f09..5d96f9de5b5d 100644 --- a/net/smc/af_smc.c +++ b/net/smc/af_smc.c @@ -2276,7 +2276,8 @@ static void smc_find_rdma_v2_device_serv(struct smc_sock *new_smc, goto not_found; smc_v2_ext = smc_get_clc_v2_ext(pclc); - if (!smc_clc_match_eid(ini->negotiated_eid, smc_v2_ext, NULL, NULL)) + if (!smc_v2_ext || + !smc_clc_match_eid(ini->negotiated_eid, smc_v2_ext, NULL, NULL)) goto not_found; /* prepare RDMA check */ |