Re: [PATCH] RDMA/rtrs-srv: Reject usr_len larger than off in process_{read,write}

From: Leon Romanovsky

Date: Wed Jun 17 2026 - 08:11:09 EST


On Wed, Jun 17, 2026 at 12:52:00AM +0800, Zhenhao Wan wrote:
> process_read() and process_write() derive the data length of an I/O
> request as:
>
> usr_len = le16_to_cpu(req->usr_len);
> data_len = off - usr_len;
>
> off comes from the RDMA-Write-with-imm immediate and is only bounded
> above (off < max_chunk_size) in rtrs_srv_rdma_done(). usr_len is read
> from the chunk buffer the remote peer fills over RDMA, so it is peer
> controlled over the full u16 range and is not checked against off.
>
> If a peer sends usr_len > off, the size_t subtraction underflows and
> the pointer data + data_len passed to the ->rdma_ev() callback points
> before the chunk. The in-tree consumer rnbd_srv_rdma_ev() dereferences
> it as the message header (le16_to_cpu(hdr->type)) before validating it;
> this is an out-of-bounds read reachable from a remote peer.
>
> Reject usr_len > off before computing data_len in both paths, via the
> existing send_err_msg path. For a well-formed request off is the total
> length data_len + usr_len, so usr_len <= off holds and valid requests
> are unaffected.
>
> Fixes: 9cb837480424 ("RDMA/rtrs: server: main functionality")
> Reported-by: Yuhao Jiang <danisjiang@xxxxxxxxx>
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Zhenhao Wan <whi4ed0g@xxxxxxxxx>
> ---
> drivers/infiniband/ulp/rtrs/rtrs-srv.c | 14 ++++++++++++++
> 1 file changed, 14 insertions(+)

It is already fixed in the commit 54bf38b27afc ("RDMA/rtrs-srv: Fix integer underflow in process_read and process_write")

Thanks