Re: [PATCH v2] RDMA/srp: bound SRP_RSP sense copy by the received length

From: Jason Gunthorpe

Date: Fri Jun 05 2026 - 13:30:32 EST


On Tue, Jun 02, 2026 at 06:04:57PM -0400, Michael Bommarito wrote:
> srp_process_rsp() copies sense data from rsp->data + resp_data_len,
> where resp_data_len is the full 32-bit value supplied by the SRP target
> and is never checked against the number of bytes actually received
> (wc->byte_len). The copy length is bounded to SCSI_SENSE_BUFFERSIZE, so
> at most 96 bytes are copied, but the source offset is not bounded.
>
> A malicious or compromised SRP target on the InfiniBand/RoCE fabric that
> the initiator has logged into can return an SRP_RSP with
> SRP_RSP_FLAG_SNSVALID set and a large resp_data_len. The receive buffer
> is allocated at the target-chosen max_ti_iu_len, so the source of the
> sense copy lands past the bytes actually received; with resp_data_len
> near 0xFFFFFFFF it is gigabytes past the buffer and the read faults.
>
> Copy the sense data only if it has not been truncated, that is, only if
> the response header, the response data, and the sense region fit within
> the bytes actually received; otherwise drop the sense and log. The
> in-tree iSER and NVMe-RDMA receive paths already bound their parse by
> wc->byte_len; this brings ib_srp into line with them.
>
> Fixes: aef9ec39c40c ("IB: Add SCSI RDMA Protocol (SRP) initiator")
> Cc: stable@xxxxxxxxxxxxxxx
> Assisted-by: Claude:claude-opus-4-8
> Signed-off-by: Michael Bommarito <michael.bommarito@xxxxxxxxx>
> Reviewed-by: Bart Van Assche <bvanassche@xxxxxxx>

Applied with Bart's request

In future please be careful, maybe your AI hallucinated the fixes
line, it should be:

Fixes: aef9ec39c47f ("IB: Add SCSI RDMA Protocol (SRP) initiator")

Jason