• Chuck Lever's avatar
    xprtrdma: Store RDMA credits in unsigned variables · 9b1dcbc8
    Chuck Lever authored
    Dan Carpenter's static checker pointed out:
    
       net/sunrpc/xprtrdma/rpc_rdma.c:879 rpcrdma_reply_handler()
       warn: can 'credits' be negative?
    
    "credits" is defined as an int. The credits value comes from the
    server as a 32-bit unsigned integer.
    
    A malicious or broken server can plant a large unsigned integer in
    that field which would result in an underflow in the following
    logic, potentially triggering a deadlock of the mount point by
    blocking the client from issuing more RPC requests.
    
    net/sunrpc/xprtrdma/rpc_rdma.c:
    
      876          credits = be32_to_cpu(headerp->rm_credit);
      877          if (credits == 0)
      878                  credits = 1;    /* don't deadlock */
      879          else if (credits > r_xprt->rx_buf.rb_max_requests)
      880                  credits = r_xprt->rx_buf.rb_max_requests;
      881
      882          cwnd = xprt->cwnd;
      883          xprt->cwnd = credits << RPC_CWNDSHIFT;
      884          if (xprt->cwnd > cwnd)
      885                  xprt_release_rqst_cong(rqst->rq_task);
    Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
    Fixes: eba8ff66 ("xprtrdma: Move credit update to RPC . . .")
    Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
    Signed-off-by: default avatarAnna Schumaker <Anna.Schumaker@Netapp.com>
    9b1dcbc8
rpc_rdma.c 27.8 KB