* [PATCH net 1/1] net: rds: reject oversized TCP receive messages
[not found] <cover.1782850818.git.bronzed_45_vested@icloud.com>
@ 2026-07-03 4:51 ` Ren Wei
2026-07-03 10:58 ` kernel test robot
0 siblings, 1 reply; 2+ messages in thread
From: Ren Wei @ 2026-07-03 4:51 UTC (permalink / raw)
To: netdev, linux-rdma, rds-devel
Cc: achender, davem, edumazet, pabeni, horms, andy.grover, yuantan098,
yifanwucs, tomapufckgml, zcliangcn, dstsmallbird,
bronzed_45_vested, enjou1224z
From: Wyatt Feng <bronzed_45_vested@icloud.com>
RDS/TCP trusts the wire h_len value once the 48-byte RDS header has
been assembled. A peer can advertise a length larger than
RDS_MAX_MSG_SIZE and force unbounded receive-side reassembly growth by
streaming payload into ti_skb_list until memory is exhausted.
Validate h_len against the existing RDS_MAX_MSG_SIZE limit before any
payload is queued. If the header is oversized, tear down the partial
incoming message, stop tcp_read_sock() immediately, and drop the
connection as a protocol error.
This keeps the sender-side and receiver-side message size contract
consistent and fixes the resource exhaustion bug in the TCP receive
path.
Fixes: 70041088e3b9 ("RDS: Add TCP transport to RDS")
Cc: stable@vger.kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
Reported-by: Xin Liu <dstsmallbird@foxmail.com>
Assisted-by: Codex:GPT-5.4
Signed-off-by: Wyatt Feng <bronzed_45_vested@icloud.com>
Reviewed-by: Ren Wei <enjou1224z@gmail.com>
---
net/rds/tcp_recv.c | 21 +++++++++++++++++++--
1 file changed, 19 insertions(+), 2 deletions(-)
diff --git a/net/rds/tcp_recv.c b/net/rds/tcp_recv.c
index ffe843ca219c..2044b8551b4f 100644
--- a/net/rds/tcp_recv.c
+++ b/net/rds/tcp_recv.c
@@ -205,9 +205,26 @@ static int rds_tcp_data_recv(read_descriptor_t *desc, struct sk_buff *skb,
offset += to_copy;
if (tc->t_tinc_hdr_rem == 0) {
+ u32 h_len;
+
+ h_len = be32_to_cpu(tinc->ti_inc.i_hdr.h_len);
+ if (h_len > RDS_MAX_MSG_SIZE) {
+ tc->t_tinc_hdr_rem = sizeof(struct rds_header);
+ tc->t_tinc_data_rem = 0;
+ tc->t_tinc = NULL;
+ rds_inc_put(&tinc->ti_inc);
+ tinc = NULL;
+ desc->count = 0;
+ desc->error = -EMSGSIZE;
+ rds_conn_path_error(cp,
+ "incoming message too large: %u bytes\n",
+ h_len);
+ left = 0;
+ goto out;
+ }
+
/* could be 0 for a 0 len message */
- tc->t_tinc_data_rem =
- be32_to_cpu(tinc->ti_inc.i_hdr.h_len);
+ tc->t_tinc_data_rem = h_len;
tinc->ti_inc.i_rx_lat_trace[RDS_MSG_RX_START] =
local_clock();
}
--
2.47.3
^ permalink raw reply related [flat|nested] 2+ messages in thread