Re: [PATCH] RDMA: rxe: validate pad and ICRC before payload_size() in rxe_rcv

Next message: Guenter Roeck: "Re: [PATCH v2 12/13] hwmon: spd5118: Add I3C support"
Previous message: Eliot Courtney: "[PATCH 3/3] gpu: nova-core: add non-sec2 unload path"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jason Gunthorpe

Date: Thu Apr 09 2026 - 10:22:11 EST

On Wed, Apr 01, 2026 at 12:19:07PM +0000, hkbinbin wrote:
> rxe_rcv() currently checks only that the incoming packet is at least
> header_size(pkt) bytes long before payload_size() is used.
>
> However, payload_size() subtracts both the attacker-controlled BTH pad
> field and RXE_ICRC_SIZE from pkt->paylen:
>
> payload_size = pkt->paylen - offset[RXE_PAYLOAD] - bth_pad(pkt)
> - RXE_ICRC_SIZE
>
> This means a short packet can still make payload_size() underflow even
> if it includes enough bytes for the fixed headers. Simply requiring
> header_size(pkt) + RXE_ICRC_SIZE is not sufficient either, because a
> packet with a forged non-zero BTH pad can still leave payload_size()
> negative and pass an underflowed value to later receive-path users.
>
> Fix this by validating pkt->paylen against the full minimum length
> required by payload_size(): header_size(pkt) + bth_pad(pkt) +
> RXE_ICRC_SIZE.
>
> Fixes: 8700e3e7c485 ("Soft RoCE driver")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: hkbinbin <hkbinbinbin@xxxxxxxxx>
> Reviewed-by: Zhu Yanjun <yanjun.zhu@xxxxxxxxx>
> ---
> drivers/infiniband/sw/rxe/rxe_recv.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)

Applied to for-next, thanks

Jason