net/smc: check iparea_offset and ipv6_prefixes_cnt when receiving proposal msg

Mete Durlu · Mete Durlu · commit 4836339323b6 · 2025-05-16T18:16:32.000+02:00
JIRA: https://issues.redhat.com/browse/RHEL-73484 CVE: CVE-2024-57791 commit a29e220 Author: Guangguan Wang <guangguan.wang@linux.alibaba.com> Date: Wed Dec 11 17:21:18 2024 +0800 net/smc: check iparea_offset and ipv6_prefixes_cnt when receiving proposal msg When receiving proposal msg in server, the field iparea_offset and the field ipv6_prefixes_cnt in proposal msg are from the remote client and can not be fully trusted. Especially the field iparea_offset, once exceed the max value, there has the chance to access wrong address, and crash may happen. This patch checks iparea_offset and ipv6_prefixes_cnt before using them. Fixes: e7b7a64 ("smc: support variable CLC proposal messages") Signed-off-by: Guangguan Wang <guangguan.wang@linux.alibaba.com> Reviewed-by: Wen Gu <guwen@linux.alibaba.com> Reviewed-by: D. Wythe <alibuda@linux.alibaba.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Mete Durlu <mdurlu@redhat.com>
diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
@@ -2022,6 +2022,8 @@ static int smc_listen_prfx_check(struct smc_sock *new_smc,
 	if (pclc->hdr.typev1 == SMC_TYPE_N)
 		return 0;
 	pclc_prfx = smc_clc_proposal_get_prefix(pclc);
+	if (!pclc_prfx)
+		return -EPROTO;
 	if (smc_clc_prfx_match(newclcsock, pclc_prfx))
 		return SMC_CLC_DECL_DIFFPREFIX;
 
@@ -2211,7 +2213,9 @@ static void smc_find_ism_v1_device_serv(struct smc_sock *new_smc,
 	int rc = 0;
 
 	/* check if ISM V1 is available */
-	if (!(ini->smcd_version & SMC_V1) || !smcd_indicated(ini->smc_type_v1))
+	if (!(ini->smcd_version & SMC_V1) ||
+	    !smcd_indicated(ini->smc_type_v1) ||
+	    !pclc_smcd)
 		goto not_found;
 	ini->is_smcd = true; /* prepare ISM check */
 	ini->ism_peer_gid[0].gid = ntohll(pclc_smcd->ism.gid);
diff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c
@@ -354,6 +354,10 @@ static bool smc_clc_msg_prop_valid(struct smc_clc_msg_proposal *pclc)
 
 	v2_ext = smc_get_clc_v2_ext(pclc);
 	pclc_prfx = smc_clc_proposal_get_prefix(pclc);
+	if (!pclc_prfx ||
+	    pclc_prfx->ipv6_prefixes_cnt > SMC_CLC_MAX_V6_PREFIX)
+		return false;
+
 	if (hdr->version == SMC_V1) {
 		if (hdr->typev1 == SMC_TYPE_N)
 			return false;
diff --git a/net/smc/smc_clc.h b/net/smc/smc_clc.h
@@ -332,8 +332,12 @@ struct smc_clc_msg_decline_v2 {	/* clc decline message */
 static inline struct smc_clc_msg_proposal_prefix *
 smc_clc_proposal_get_prefix(struct smc_clc_msg_proposal *pclc)
 {
+	u16 offset = ntohs(pclc->iparea_offset);
+
+	if (offset > sizeof(struct smc_clc_msg_smcd))
+		return NULL;
 	return (struct smc_clc_msg_proposal_prefix *)
-	       ((u8 *)pclc + sizeof(*pclc) + ntohs(pclc->iparea_offset));
+	       ((u8 *)pclc + sizeof(*pclc) + offset);
 }
 
 static inline bool smcr_indicated(int smc_type)

Original file line number	Diff line number	Diff line change
`@@ -332,8 +332,12 @@ struct smc_clc_msg_decline_v2 { /* clc decline message */`
`332`	`332`	`static inline struct smc_clc_msg_proposal_prefix *`
`333`	`333`	`smc_clc_proposal_get_prefix(struct smc_clc_msg_proposal *pclc)`
`334`	`334`	`{`
	`335`	`+ u16 offset = ntohs(pclc->iparea_offset);`
	`336`	`+`
	`337`	`+ if (offset > sizeof(struct smc_clc_msg_smcd))`
	`338`	`+ return NULL;`
`335`	`339`	`return (struct smc_clc_msg_proposal_prefix *)`
`336`		`- ((u8 )pclc + sizeof(pclc) + ntohs(pclc->iparea_offset));`
	`340`	`+ ((u8 )pclc + sizeof(pclc) + offset);`
`337`	`341`	`}`
`338`	`342`
`339`	`343`	`static inline bool smcr_indicated(int smc_type)`