From: Krishnamraju Eraparaju <krishna2@chelsio.com>
To: jgg@ziepe.ca, bmt@zurich.ibm.com
Cc: linux-rdma@vger.kernel.org, bharat@chelsio.com,
nirranjan@chelsio.com, krishn2@chelsio.com,
Krishnamraju Eraparaju <krishna2@chelsio.com>
Subject: [PATCH for-rc] siw: MPA Reply handler tries to read beyond MPA message
Date: Wed, 31 Jul 2019 16:03:10 +0530 [thread overview]
Message-ID: <20190731103310.23199-1-krishna2@chelsio.com> (raw)
while processing MPA Reply, SIW driver is trying to read extra 4 bytes
than what peer has advertised as private data length.
If a FPDU data is received before even siw_recv_mpa_rr() completed
reading MPA reply, then ksock_recv() in siw_recv_mpa_rr() could also
read FPDU, if "size" is larger than advertised MPA reply length.
501 static int siw_recv_mpa_rr(struct siw_cep *cep)
502 {
.............
572
573 if (rcvd > to_rcv)
574 return -EPROTO; <----- Failure here
Looks like the intention here is to throw an ERROR if the received data
is more than the total private data length advertised by the peer. But
reading beyond MPA message causes siw_cm to generate
RDMA_CM_EVENT_CONNECT_ERROR event when TCP socket recv buffer is already
queued with FPDU messages.
Hence, this function should only read upto private data length.
Signed-off-by: Krishnamraju Eraparaju <krishna2@chelsio.com>
---
drivers/infiniband/sw/siw/siw_cm.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/infiniband/sw/siw/siw_cm.c b/drivers/infiniband/sw/siw/siw_cm.c
index a7cde98e73e8..8dc8cea2566c 100644
--- a/drivers/infiniband/sw/siw/siw_cm.c
+++ b/drivers/infiniband/sw/siw/siw_cm.c
@@ -559,13 +559,13 @@ static int siw_recv_mpa_rr(struct siw_cep *cep)
* A private data buffer gets allocated if hdr->params.pd_len != 0.
*/
if (!cep->mpa.pdata) {
- cep->mpa.pdata = kmalloc(pd_len + 4, GFP_KERNEL);
+ cep->mpa.pdata = kmalloc(pd_len, GFP_KERNEL);
if (!cep->mpa.pdata)
return -ENOMEM;
}
rcvd = ksock_recv(
s, cep->mpa.pdata + cep->mpa.bytes_rcvd - sizeof(struct mpa_rr),
- to_rcv + 4, MSG_DONTWAIT);
+ to_rcv, MSG_DONTWAIT);
if (rcvd < 0)
return rcvd;
--
2.23.0.rc0
next reply other threads:[~2019-07-31 10:33 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-31 10:33 Krishnamraju Eraparaju [this message]
2019-07-31 19:17 ` [PATCH for-rc] siw: MPA Reply handler tries to read beyond MPA message Doug Ledford
2019-08-01 11:34 ` Krishnamraju Eraparaju
2019-08-01 10:56 ` Bernard Metzler
2019-08-01 15:36 ` Doug Ledford
2019-08-01 18:53 ` Tom Talpey
2019-08-02 11:18 ` Bernard Metzler
2019-08-02 12:47 ` Tom Talpey
[not found] ` <20190805172605.GA5549@chelsio.com>
2019-08-08 15:05 ` Bernard Metzler
2019-08-08 16:46 ` Krishnamraju Eraparaju
2019-08-09 10:29 ` Bernard Metzler
2019-08-09 12:27 ` Tom Talpey
2019-08-09 13:52 ` Bernard Metzler
2019-08-09 20:35 ` Tom Talpey
2019-08-12 9:58 ` Krishnamraju Eraparaju
2019-08-12 12:56 ` Bernard Metzler
2019-08-13 8:05 ` Krishnamraju Eraparaju
2019-08-09 12:32 ` Tom Talpey
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190731103310.23199-1-krishna2@chelsio.com \
--to=krishna2@chelsio.com \
--cc=bharat@chelsio.com \
--cc=bmt@zurich.ibm.com \
--cc=jgg@ziepe.ca \
--cc=krishn2@chelsio.com \
--cc=linux-rdma@vger.kernel.org \
--cc=nirranjan@chelsio.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox