Commit 04ded167 authored by Sean Hefty's avatar Sean Hefty Committed by Roland Dreier

RDMA/cma: Verify private data length

private_data_len is defined as a u8.  If the user specifies a large
private_data size (> 220 bytes), we will calculate a total length that
exceeds 255, resulting in private_data_len wrapping back to 0.  This
can lead to overwriting random kernel memory.  Avoid this by verifying
that the resulting size fits into a u8.
Reported-by: default avatarB. Thery <benjamin.thery@bull.net>
Addresses: <http://bugs.openfabrics.org/bugzilla/show_bug.cgi?id=2335>
Signed-off-by: default avatarSean Hefty <sean.hefty@intel.com>
Signed-off-by: default avatarRoland Dreier <roland@purestorage.com>
parent 5611cc45
...@@ -2513,6 +2513,9 @@ static int cma_resolve_ib_udp(struct rdma_id_private *id_priv, ...@@ -2513,6 +2513,9 @@ static int cma_resolve_ib_udp(struct rdma_id_private *id_priv,
req.private_data_len = sizeof(struct cma_hdr) + req.private_data_len = sizeof(struct cma_hdr) +
conn_param->private_data_len; conn_param->private_data_len;
if (req.private_data_len < conn_param->private_data_len)
return -EINVAL;
req.private_data = kzalloc(req.private_data_len, GFP_ATOMIC); req.private_data = kzalloc(req.private_data_len, GFP_ATOMIC);
if (!req.private_data) if (!req.private_data)
return -ENOMEM; return -ENOMEM;
...@@ -2562,6 +2565,9 @@ static int cma_connect_ib(struct rdma_id_private *id_priv, ...@@ -2562,6 +2565,9 @@ static int cma_connect_ib(struct rdma_id_private *id_priv,
memset(&req, 0, sizeof req); memset(&req, 0, sizeof req);
offset = cma_user_data_offset(id_priv->id.ps); offset = cma_user_data_offset(id_priv->id.ps);
req.private_data_len = offset + conn_param->private_data_len; req.private_data_len = offset + conn_param->private_data_len;
if (req.private_data_len < conn_param->private_data_len)
return -EINVAL;
private_data = kzalloc(req.private_data_len, GFP_ATOMIC); private_data = kzalloc(req.private_data_len, GFP_ATOMIC);
if (!private_data) if (!private_data)
return -ENOMEM; return -ENOMEM;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment