qiurui
/
Centos-kernel-stream-9
mirror of https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Subject: net/smc: check return value of sock_recvmsg when draining clc data 

JIRA: https://issues.redhat.com/browse/RHEL-73484
Conflicts: Fix merge conflicts - no functional changes.
CVE: CVE-2024-57791

commit c5b8ee5022a19464783058dc6042e8eefa34e8cd
Author: Guangguan Wang <guangguan.wang@linux.alibaba.com>
Date:   Wed Dec 11 17:21:21 2024 +0800

    net/smc: check return value of sock_recvmsg when draining clc data

    When receiving clc msg, the field length in smc_clc_msg_hdr indicates the
    length of msg should be received from network and the value should not be
    fully trusted as it is from the network. Once the value of length exceeds
    the value of buflen in function smc_clc_wait_msg it may run into deadloop
    when trying to drain the remaining data exceeding buflen.

    This patch checks the return value of sock_recvmsg when draining data in
    case of deadloop in draining.

    Fixes: fb4f79264c ("net/smc: tolerate future SMCD versions")
    Signed-off-by: Guangguan Wang <guangguan.wang@linux.alibaba.com>
    Reviewed-by: Wen Gu <guwen@linux.alibaba.com>
    Reviewed-by: D. Wythe <alibuda@linux.alibaba.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

Signed-off-by: Mete Durlu <mdurlu@redhat.com>
This commit is contained in:
Mete Durlu 2025-05-16 17:53:01 +02:00
parent 5d3d77113f
commit dda5e87d44
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
net/smc/smc_clc.c
View File

@ -774,6 +774,11 @@ int smc_clc_wait_msg(struct smc_sock *smc, void *buf, int buflen,
SMC_CLC_RECV_BUF_LEN : datlen;
iov_iter_kvec(&msg.msg_iter, READ, &vec, 1, recvlen);
len = sock_recvmsg(smc->clcsock, &msg, krflags);
if (len < recvlen) {
smc->sk.sk_err = EPROTO;
reason_code = -EPROTO;
goto out;
}
datlen -= len;
}
if (clcm->type == SMC_CLC_DECLINE) {