git.ipfire.org Git - thirdparty/kernel/stable.git/commit

net/smc: check iparea_offset and ipv6_prefixes_cnt when receiving proposal msg

[ Upstream commit a29e220d3c8edbf0e1beb0f028878a4a85966556 ]

When receiving proposal msg in server, the field iparea_offset
and the field ipv6_prefixes_cnt in proposal msg are from the
remote client and can not be fully trusted. Especially the
field iparea_offset, once exceed the max value, there has the
chance to access wrong address, and crash may happen.

This patch checks iparea_offset and ipv6_prefixes_cnt before using them.

Fixes: e7b7a64a8493 ("smc: support variable CLC proposal messages")
Signed-off-by: Guangguan Wang <guangguan.wang@linux.alibaba.com>
Reviewed-by: Wen Gu <guwen@linux.alibaba.com>
Reviewed-by: D. Wythe <alibuda@linux.alibaba.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>

author	Guangguan Wang <guangguan.wang@linux.alibaba.com>
	Wed, 11 Dec 2024 09:21:18 +0000 (17:21 +0800)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 9 Jan 2025 12:24:52 +0000 (13:24 +0100)
commit	846bada23bfcdeb83621b045ed85dc06c7833ff0
tree	d00e1e86e33b7875c57c3a4c03697592c9268c25	tree \| snapshot
parent	e18830b7c498d85b268d9e94a938f6542ff4ab49	commit \| diff

net/smc/af_smc.c		diff \| blob \| blame \| history
net/smc/smc_clc.c		diff \| blob \| blame \| history
net/smc/smc_clc.h		diff \| blob \| blame \| history