sunrpc:fix shift-out-of-bounds for majortimeo

Next message: Kaitao Cheng: "[PATCH v2] lib/vsprintf: Make no_hash_pointers take effect early"
Previous message: WenTao Liang: "[PATCH] ALSA: control_compat: fix refcount leak in ctl_elem_write_user()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: zhangjian (CG)

Date: Thu Jun 11 2026 - 23:06:19 EST

For UDP proto, to->to_exponential is true. Too large to_retries
may cause shift-out-of-bounds error for "majortime <<= to_retries"
Add sanity checks to fix it.

Signed-off-by: zhangjian <zhangjian496@xxxxxxxxxx>
---
net/sunrpc/xprt.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/net/sunrpc/xprt.c b/net/sunrpc/xprt.c
index 48a3618cbb29..c62f9998ffe9 100644
--- a/net/sunrpc/xprt.c
+++ b/net/sunrpc/xprt.c
@@ -656,10 +656,16 @@ static unsigned long xprt_calc_majortimeo(struct
rpc_rqst *req,
{
unsigned long majortimeo = req->rq_timeout;

- if (to->to_exponential)
- majortimeo <<= to->to_retries;
- else
+ if (to->to_exponential) {
+ if (to->to_retries >= BITS_PER_LONG ||
+ majortimeo > (ULONG_MAX >> to->to_retries)) {
+ majortimeo = ULONG_MAX;
+ } else {
+ majortimeo <<= to->to_retries;
+ }
+ } else {
majortimeo += to->to_increment * to->to_retries;
+ }
if (majortimeo > to->to_maxval || majortimeo == 0)
majortimeo = to->to_maxval;
return majortimeo;
--
2.33.0