Skip to content

Commit 5d3d771

Browse files
author
Mete Durlu
committed
net/smc: check smcd_v2_ext_offset when receiving proposal msg
JIRA: https://issues.redhat.com/browse/RHEL-73484 CVE: CVE-2024-57791 commit 9ab332d Author: Guangguan Wang <guangguan.wang@linux.alibaba.com> Date: Wed Dec 11 17:21:20 2024 +0800 net/smc: check smcd_v2_ext_offset when receiving proposal msg When receiving proposal msg in server, the field smcd_v2_ext_offset in proposal msg is from the remote client and can not be fully trusted. Once the value of smcd_v2_ext_offset exceed the max value, there has the chance to access wrong address, and crash may happen. This patch checks the value of smcd_v2_ext_offset before using it. Fixes: 5c21c4c ("net/smc: determine accepted ISM devices") Signed-off-by: Guangguan Wang <guangguan.wang@linux.alibaba.com> Reviewed-by: Wen Gu <guwen@linux.alibaba.com> Reviewed-by: D. Wythe <alibuda@linux.alibaba.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Mete Durlu <mdurlu@redhat.com>
1 parent 99d4eab commit 5d3d771

File tree

2 files changed

+9
-1
lines changed

2 files changed

+9
-1
lines changed

net/smc/af_smc.c

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2137,6 +2137,8 @@ static void smc_find_ism_v2_device_serv(struct smc_sock *new_smc,
21372137
pclc_smcd = smc_get_clc_msg_smcd(pclc);
21382138
smc_v2_ext = smc_get_clc_v2_ext(pclc);
21392139
smcd_v2_ext = smc_get_clc_smcd_v2_ext(smc_v2_ext);
2140+
if (!pclc_smcd || !smc_v2_ext || !smcd_v2_ext)
2141+
goto not_found;
21402142

21412143
mutex_lock(&smcd_dev_list.mutex);
21422144
if (pclc_smcd->ism.chid) {

net/smc/smc_clc.h

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -396,9 +396,15 @@ smc_get_clc_v2_ext(struct smc_clc_msg_proposal *prop)
396396
static inline struct smc_clc_smcd_v2_extension *
397397
smc_get_clc_smcd_v2_ext(struct smc_clc_v2_extension *prop_v2ext)
398398
{
399+
u16 max_offset = offsetof(struct smc_clc_msg_proposal_area, pclc_smcd_v2_ext) -
400+
offsetof(struct smc_clc_msg_proposal_area, pclc_v2_ext) -
401+
offsetof(struct smc_clc_v2_extension, hdr) -
402+
offsetofend(struct smc_clnt_opts_area_hdr, smcd_v2_ext_offset);
403+
399404
if (!prop_v2ext)
400405
return NULL;
401-
if (!ntohs(prop_v2ext->hdr.smcd_v2_ext_offset))
406+
if (!ntohs(prop_v2ext->hdr.smcd_v2_ext_offset) ||
407+
ntohs(prop_v2ext->hdr.smcd_v2_ext_offset) > max_offset)
402408
return NULL;
403409

404410
return (struct smc_clc_smcd_v2_extension *)

0 commit comments

Comments
 (0)