[PATCH] drbd: reject oversized DataReply before signed conversion
From: Tianchu Chen
Date: Tue Jun 30 2026 - 07:14:33 EST
From: Tianchu Chen <flynnnchen@xxxxxxxxxxx>
Discovered by Atuin - Automated Vulnerability Discovery Engine.
Reject DataReply payload lengths that cannot fit in recv_dless_read()'s
signed size argument so a bogus remote peer cannot wrap the length negative
and turn it into a huge heap OOB-write.
Fixes: b411b3637fa7 ("The DRBD driver")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Tianchu Chen <flynnnchen@xxxxxxxxxxx>
---
drivers/block/drbd/drbd_receiver.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c
index 58b95bf4b..5bd3df483 100644
--- a/drivers/block/drbd/drbd_receiver.c
+++ b/drivers/block/drbd/drbd_receiver.c
@@ -24,6 +24,7 @@
#include <linux/memcontrol.h>
#include <linux/mm_inline.h>
#include <linux/slab.h>
+#include <linux/limits.h>
#include <uapi/linux/sched/types.h>
#include <linux/sched/signal.h>
#include <linux/pkt_sched.h>
@@ -1947,6 +1948,9 @@ static int receive_DataReply(struct drbd_connection *connection, struct packet_i
if (unlikely(!req))
return -EIO;
+ if (pi->size > INT_MAX)
+ return -EINVAL;
+
err = recv_dless_read(peer_device, req, sector, pi->size);
if (!err)
req_mod(req, DATA_RECEIVED, peer_device);
--
2.51.0