Re: [PATCH] RDMA/srp: bound SRP_RSP sense copy by the received length

Next message: Alexey Charkov: "[PATCH v7 2/7] power: supply: bq257xx: Fix VSYSMIN clamping logic"
Previous message: Alexey Charkov: "[PATCH v7 0/7] Add support for the TI BQ25792 battery charger"
In reply to: Michael Bommarito: "[PATCH] RDMA/srp: bound SRP_RSP sense copy by the received length"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Bart Van Assche

Date: Tue Jun 02 2026 - 16:19:12 EST

On 6/2/26 12:46 PM, Michael Bommarito wrote:

A malicious or compromised SRP target on the InfiniBand/RoCE fabric that
the initiator has logged into can return an SRP_RSP with
SRP_RSP_FLAG_SNSVALID set and resp_data_len set to a large value such as
0xFFFFFFFF. The receive buffer is allocated at the target-chosen
max_ti_iu_len, so the copy source lands far past the allocation.

The memcpy then reads out of bounds of the kzalloc'd receive IU; with
resp_data_len near 0xFFFFFFFF the source is multiple gigabytes past the
buffer and faults.

The above is misleading because it does not mention that the SRP
initiator copies at most SCSI_SENSE_BUFFERSIZE bytes sense data.

Pass wc->byte_len into srp_process_rsp() and copy the sense data only
when the response header, the response data, and the sense region fit
within the bytes actually received; otherwise drop the sense and log.
The in-tree iSER and NVMe-RDMA receive paths already bound their parse
by wc->byte_len; this brings ib_srp into line with them.

This sounds weird. I'd write this as follows: "... copy only if the
sense data has not been truncated".

+ else
+ shost_printk(KERN_ERR, target->scsi_host,
+ "dropping oversized sense (resp_data_len %u sense_data_len %u) in %u-byte RSP\n",
+ resp_len, sense_len, byte_len);

No, in this case the sense data is not oversized but has been truncated.

Thanks,

Bart.