net/smc: check v2_ext_offset/eid_cnt/ism_gid_cnt when receiving proposal msg

When receiving proposal msg in server, the fields v2_ext_offset/
eid_cnt/ism_gid_cnt in proposal msg are from the remote client
and can not be fully trusted. Especially the field v2_ext_offset,
once exceed the max value, there has the chance to access wrong
address, and crash may happen.

This patch checks the fields v2_ext_offset/eid_cnt/ism_gid_cnt
before using them.

Fixes: 8c3dca341aea ("net/smc: build and send V2 CLC proposal")
Signed-off-by: Guangguan Wang <guangguan.wang@linux.alibaba.com>
Reviewed-by: Wen Gu <guwen@linux.alibaba.com>
Reviewed-by: D. Wythe <alibuda@linux.alibaba.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
index 9a74c9693f09ef19a4086918781b8d1a91e21775..5d96f9de5b5dfe252486751c6c3e6c954bd07836 100644 (file)
--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -2276,7 +2276,8 @@ static void smc_find_rdma_v2_device_serv(struct smc_sock *new_smc,
                goto not_found;
 
        smc_v2_ext = smc_get_clc_v2_ext(pclc);
-       if (!smc_clc_match_eid(ini->negotiated_eid, smc_v2_ext, NULL, NULL))
+       if (!smc_v2_ext ||
+           !smc_clc_match_eid(ini->negotiated_eid, smc_v2_ext, NULL, NULL))
                goto not_found;
 
        /* prepare RDMA check */

diff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c
index 66a43b97eede025685e60e2e28e3534c07993942..f721d03efcbd7d75fde2e280feac78225d59f07b 100644 (file)
--- a/net/smc/smc_clc.c
+++ b/net/smc/smc_clc.c
@@ -352,7 +352,6 @@ static bool smc_clc_msg_prop_valid(struct smc_clc_msg_proposal *pclc)
        struct smc_clc_msg_hdr *hdr = &pclc->hdr;
        struct smc_clc_v2_extension *v2_ext;
 
-       v2_ext = smc_get_clc_v2_ext(pclc);
        pclc_prfx = smc_clc_proposal_get_prefix(pclc);
        if (!pclc_prfx ||
            pclc_prfx->ipv6_prefixes_cnt > SMC_CLC_MAX_V6_PREFIX)
@@ -369,6 +368,13 @@ static bool smc_clc_msg_prop_valid(struct smc_clc_msg_proposal *pclc)
                        sizeof(struct smc_clc_msg_trail))
                        return false;
        } else {
+               v2_ext = smc_get_clc_v2_ext(pclc);
+               if ((hdr->typev2 != SMC_TYPE_N &&
+                    (!v2_ext || v2_ext->hdr.eid_cnt > SMC_CLC_MAX_UEID)) ||
+                   (smcd_indicated(hdr->typev2) &&
+                    v2_ext->hdr.ism_gid_cnt > SMCD_CLC_MAX_V2_GID_ENTRIES))
+                       return false;
+
                if (ntohs(hdr->length) !=
                        sizeof(*pclc) +
                        sizeof(struct smc_clc_msg_smcd) +

diff --git a/net/smc/smc_clc.h b/net/smc/smc_clc.h
index ac8de6a177fac6660b24bce785a8a9fe34796aba..23afa4df862ed9724cf040f812e10d06e056286b 100644 (file)
--- a/net/smc/smc_clc.h
+++ b/net/smc/smc_clc.h
@@ -380,8 +380,14 @@ static inline struct smc_clc_v2_extension *
 smc_get_clc_v2_ext(struct smc_clc_msg_proposal *prop)
 {
        struct smc_clc_msg_smcd *prop_smcd = smc_get_clc_msg_smcd(prop);
+       u16 max_offset;
 
-       if (!prop_smcd || !ntohs(prop_smcd->v2_ext_offset))
+       max_offset = offsetof(struct smc_clc_msg_proposal_area, pclc_v2_ext) -
+                    offsetof(struct smc_clc_msg_proposal_area, pclc_smcd) -
+                    offsetofend(struct smc_clc_msg_smcd, v2_ext_offset);
+
+       if (!prop_smcd || !ntohs(prop_smcd->v2_ext_offset) ||
+           ntohs(prop_smcd->v2_ext_offset) > max_offset)
                return NULL;
 
        return (struct smc_clc_v2_extension *)