net/smc: check smcd_v2_ext_offset when receiving proposal msg

[ Upstream commit 9ab332deb671d8f7e66d82a2ff2b3f715bc3a4ad ]

When receiving proposal msg in server, the field smcd_v2_ext_offset in
proposal msg is from the remote client and can not be fully trusted.
Once the value of smcd_v2_ext_offset exceed the max value, there has
the chance to access wrong address, and crash may happen.

This patch checks the value of smcd_v2_ext_offset before using it.

Fixes: 5c21c4ccafe8 ("net/smc: determine accepted ISM devices")
Signed-off-by: Guangguan Wang <guangguan.wang@linux.alibaba.com>
Reviewed-by: Wen Gu <guwen@linux.alibaba.com>
Reviewed-by: D. Wythe <alibuda@linux.alibaba.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/net/smc/smc_clc.h b/net/smc/smc_clc.h
index 986dcd5db3ed9489d046097aafe73bc5d32444de..78a94b9122b64868e7bb7f48fe9ca8850f5be681 100644 (file)
--- a/net/smc/smc_clc.h
+++ b/net/smc/smc_clc.h
@@ -311,9 +311,15 @@ smc_get_clc_v2_ext(struct smc_clc_msg_proposal *prop)
 static inline struct smc_clc_smcd_v2_extension *
 smc_get_clc_smcd_v2_ext(struct smc_clc_v2_extension *prop_v2ext)
 {
+       u16 max_offset = offsetof(struct smc_clc_msg_proposal_area, pclc_smcd_v2_ext) -
+               offsetof(struct smc_clc_msg_proposal_area, pclc_v2_ext) -
+               offsetof(struct smc_clc_v2_extension, hdr) -
+               offsetofend(struct smc_clnt_opts_area_hdr, smcd_v2_ext_offset);
+
        if (!prop_v2ext)
                return NULL;
-       if (!ntohs(prop_v2ext->hdr.smcd_v2_ext_offset))
+       if (!ntohs(prop_v2ext->hdr.smcd_v2_ext_offset) ||
+           ntohs(prop_v2ext->hdr.smcd_v2_ext_offset) > max_offset)
                return NULL;
 
        return (struct smc_clc_smcd_v2_extension *)