Re: [PATCH] RDMA/srpt: fix integer overflow in immediate data length check
From: Bart Van Assche
Date: Tue May 05 2026 - 04:20:29 EST
On 5/4/26 10:00 AM, Sara Venkatesh wrote:
imm_buf->len is a user-controlled uint32_t received from the network.Reviewed-by: Bart Van Assche <bvanassche@xxxxxxx>
Adding it to imm_data_offset without overflow checking allows a
malicious initiator to send len=0xFFFFFFFF, causing req_size to wrap
around to a small value, bypassing the bounds check, and subsequently
passing a ~4GB length to sg_init_one().
Use check_add_overflow() to detect wrapping before the comparison.