git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Sara Venkatesh <sarajvenkatesh@gmail.com>
	Mon, 4 May 2026 08:00:36 +0000 (01:00 -0700)
committer	Leon Romanovsky <leon@kernel.org>
	Mon, 18 May 2026 08:58:41 +0000 (04:58 -0400)
commit	eb4ecdf631fe00e8020bf461503cb9b7017ed796
tree	c7b42f3627b7bf47c588ae20f56ab8cbfef77eae	tree \| snapshot
parent	44ea9d022312097a8a25215f89e9c1a69a77b1d9	commit \| diff

RDMA/srpt: fix integer overflow in immediate data length check

imm_buf->len is a user-controlled uint32_t received from the network.
Adding it to imm_data_offset without overflow checking allows a
malicious initiator to send len=0xFFFFFFFF, causing req_size to wrap
around to a small value, bypassing the bounds check, and subsequently
passing a ~4GB length to sg_init_one().

Use check_add_overflow() to detect wrapping before the comparison.

Fixes: 5dabcd0456d7 ("RDMA/srpt: Add support for immediate data")
Reported-by: Carlos Bilbao (Lambda) <carlos.bilbao@kernel.org>
Signed-off-by: Sara Venkatesh <sarajvenkatesh@gmail.com>
Link: https://patch.msgid.link/20260504080036.3482415-1-sarajvenkatesh@gmail.com
Reviewed-by: Carlos Bilbao (Lambda) <carlos.bilbao@kernel.org>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Leon Romanovsky <leon@kernel.org>