* [PATCH net 1/1] net: rds: reject oversized TCP receive messages
[not found] <cover.1782850818.git.bronzed_45_vested@icloud.com>
@ 2026-07-03 4:51 ` Ren Wei
2026-07-03 10:58 ` kernel test robot
0 siblings, 1 reply; 2+ messages in thread
From: Ren Wei @ 2026-07-03 4:51 UTC (permalink / raw)
To: netdev, linux-rdma, rds-devel
Cc: achender, davem, edumazet, pabeni, horms, andy.grover, yuantan098,
yifanwucs, tomapufckgml, zcliangcn, dstsmallbird,
bronzed_45_vested, enjou1224z
From: Wyatt Feng <bronzed_45_vested@icloud.com>
RDS/TCP trusts the wire h_len value once the 48-byte RDS header has
been assembled. A peer can advertise a length larger than
RDS_MAX_MSG_SIZE and force unbounded receive-side reassembly growth by
streaming payload into ti_skb_list until memory is exhausted.
Validate h_len against the existing RDS_MAX_MSG_SIZE limit before any
payload is queued. If the header is oversized, tear down the partial
incoming message, stop tcp_read_sock() immediately, and drop the
connection as a protocol error.
This keeps the sender-side and receiver-side message size contract
consistent and fixes the resource exhaustion bug in the TCP receive
path.
Fixes: 70041088e3b9 ("RDS: Add TCP transport to RDS")
Cc: stable@vger.kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
Reported-by: Xin Liu <dstsmallbird@foxmail.com>
Assisted-by: Codex:GPT-5.4
Signed-off-by: Wyatt Feng <bronzed_45_vested@icloud.com>
Reviewed-by: Ren Wei <enjou1224z@gmail.com>
---
net/rds/tcp_recv.c | 21 +++++++++++++++++++--
1 file changed, 19 insertions(+), 2 deletions(-)
diff --git a/net/rds/tcp_recv.c b/net/rds/tcp_recv.c
index ffe843ca219c..2044b8551b4f 100644
--- a/net/rds/tcp_recv.c
+++ b/net/rds/tcp_recv.c
@@ -205,9 +205,26 @@ static int rds_tcp_data_recv(read_descriptor_t *desc, struct sk_buff *skb,
offset += to_copy;
if (tc->t_tinc_hdr_rem == 0) {
+ u32 h_len;
+
+ h_len = be32_to_cpu(tinc->ti_inc.i_hdr.h_len);
+ if (h_len > RDS_MAX_MSG_SIZE) {
+ tc->t_tinc_hdr_rem = sizeof(struct rds_header);
+ tc->t_tinc_data_rem = 0;
+ tc->t_tinc = NULL;
+ rds_inc_put(&tinc->ti_inc);
+ tinc = NULL;
+ desc->count = 0;
+ desc->error = -EMSGSIZE;
+ rds_conn_path_error(cp,
+ "incoming message too large: %u bytes\n",
+ h_len);
+ left = 0;
+ goto out;
+ }
+
/* could be 0 for a 0 len message */
- tc->t_tinc_data_rem =
- be32_to_cpu(tinc->ti_inc.i_hdr.h_len);
+ tc->t_tinc_data_rem = h_len;
tinc->ti_inc.i_rx_lat_trace[RDS_MSG_RX_START] =
local_clock();
}
--
2.47.3
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH net 1/1] net: rds: reject oversized TCP receive messages
2026-07-03 4:51 ` [PATCH net 1/1] net: rds: reject oversized TCP receive messages Ren Wei
@ 2026-07-03 10:58 ` kernel test robot
0 siblings, 0 replies; 2+ messages in thread
From: kernel test robot @ 2026-07-03 10:58 UTC (permalink / raw)
To: Ren Wei, netdev, linux-rdma, rds-devel
Cc: oe-kbuild-all, achender, davem, edumazet, pabeni, horms,
andy.grover, yuantan098, yifanwucs, tomapufckgml, zcliangcn,
dstsmallbird, bronzed_45_vested, enjou1224z
Hi Ren,
kernel test robot noticed the following build errors:
[auto build test ERROR on net/main]
url: https://github.com/intel-lab-lkp/linux/commits/Ren-Wei/net-rds-reject-oversized-TCP-receive-messages/20260703-135123
base: net/main
patch link: https://lore.kernel.org/r/c83365078ea649d7ab2d9c198a445469bffb2550.1782850818.git.bronzed_45_vested%40icloud.com
patch subject: [PATCH net 1/1] net: rds: reject oversized TCP receive messages
config: x86_64-buildonly-randconfig-006-20260703 (https://download.01.org/0day-ci/archive/20260703/202607031832.sftbLQWx-lkp@intel.com/config)
compiler: gcc-14 (Debian 14.2.0-19) 14.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260703/202607031832.sftbLQWx-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202607031832.sftbLQWx-lkp@intel.com/
All errors (new ones prefixed by >>, old ones prefixed by <<):
>> ERROR: modpost: "__rds_conn_path_error" [net/rds/rds_tcp.ko] undefined!
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-07-03 10:58 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <cover.1782850818.git.bronzed_45_vested@icloud.com>
2026-07-03 4:51 ` [PATCH net 1/1] net: rds: reject oversized TCP receive messages Ren Wei
2026-07-03 10:58 ` kernel test robot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox