Re: [PATCH] RDMA/srpt: fix integer overflow in immediate data length check

Next message: Mostafa Saleh: "Re: [PATCH v6 08/25] KVM: arm64: iommu: Shadow host stage-2 page table"
Previous message: Bartosz Golaszewski: "Re: [PATCH v10 7/9] gpio: Remove unused `chip` and `srcu` in struct gpio_device"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Leon Romanovsky

Date: Tue May 12 2026 - 06:41:55 EST

On Mon, 04 May 2026 01:00:36 -0700, Sara Venkatesh wrote:
> imm_buf->len is a user-controlled uint32_t received from the network.
> Adding it to imm_data_offset without overflow checking allows a
> malicious initiator to send len=0xFFFFFFFF, causing req_size to wrap
> around to a small value, bypassing the bounds check, and subsequently
> passing a ~4GB length to sg_init_one().
>
> Use check_add_overflow() to detect wrapping before the comparison.
>
> [...]

Applied, thanks!

[1/1] RDMA/srpt: fix integer overflow in immediate data length check
https://git.kernel.org/rdma/rdma/c/3f716b34c639f6

Best regards,
--
Leon Romanovsky <leon@xxxxxxxxxx>