* [PATCH net] net/smc: ignore peer-supplied rmbe_idx and dmbe_idx
@ 2026-07-02 17:11 Dust Li
0 siblings, 0 replies; only message in thread
From: Dust Li @ 2026-07-02 17:11 UTC (permalink / raw)
To: D. Wythe, Dust Li, Sidraya Jayagond, Wenjia Zhang,
David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni
Cc: Mahanta Jambigi, Tony Lu, Wen Gu, Simon Horman, Ursula Braun,
Hans Wippel, linux-rdma, linux-s390, netdev, linux-kernel, stable
Linux always uses exactly one RMBE per RMB (index 1 for SMC-R) and
one DMBE per DMB (index 0 for SMC-D), so conn->tx_off is always zero.
Hardcode these fixed values instead of deriving tx_off from the
peer-supplied rmbe_idx / dmbe_idx in the CLC Accept/Confirm message.
Fixes: e6727f39004b ("smc: send data (through RDMA)")
Fixes: 413498440e30 ("net/smc: add SMC-D support in af_smc")
Cc: stable@vger.kernel.org
Reported-by: Federico Kirschbaum <federico.kirschbaum@xbow.com>
Signed-off-by: Dust Li <dust.li@linux.alibaba.com>
---
net/smc/af_smc.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
index b5db69073e20..3706e8ac49e0 100644
--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -729,11 +729,15 @@ static void smcr_conn_save_peer_info(struct smc_sock *smc,
{
int bufsize = smc_uncompress_bufsize(clc->r0.rmbe_size);
- smc->conn.peer_rmbe_idx = clc->r0.rmbe_idx;
+ /* Linux uses exactly one RMBE per RMB (always index 1); ignore the
+ * peer-supplied rmbe_idx to prevent a malicious peer from setting an
+ * out-of-bounds tx_off.
+ */
+ smc->conn.peer_rmbe_idx = 1;
smc->conn.local_tx_ctrl.token = ntohl(clc->r0.rmbe_alert_token);
smc->conn.peer_rmbe_size = bufsize;
atomic_set(&smc->conn.peer_rmbe_space, smc->conn.peer_rmbe_size);
- smc->conn.tx_off = bufsize * (smc->conn.peer_rmbe_idx - 1);
+ smc->conn.tx_off = 0;
}
static void smcd_conn_save_peer_info(struct smc_sock *smc,
@@ -741,12 +745,16 @@ static void smcd_conn_save_peer_info(struct smc_sock *smc,
{
int bufsize = smc_uncompress_bufsize(clc->d0.dmbe_size);
- smc->conn.peer_rmbe_idx = clc->d0.dmbe_idx;
+ /* Linux uses exactly one DMBE per DMB (always index 0); ignore the
+ * peer-supplied dmbe_idx to prevent a malicious peer from deriving an
+ * out-of-bounds tx_off that causes an OOB write.
+ */
+ smc->conn.peer_rmbe_idx = 0;
smc->conn.peer_token = ntohll(clc->d0.token);
/* msg header takes up space in the buffer */
smc->conn.peer_rmbe_size = bufsize - sizeof(struct smcd_cdc_msg);
atomic_set(&smc->conn.peer_rmbe_space, smc->conn.peer_rmbe_size);
- smc->conn.tx_off = bufsize * smc->conn.peer_rmbe_idx;
+ smc->conn.tx_off = 0;
}
static void smc_conn_save_peer_info(struct smc_sock *smc,
--
2.43.7
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-07-02 17:12 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-02 17:11 [PATCH net] net/smc: ignore peer-supplied rmbe_idx and dmbe_idx Dust Li
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox