From patchwork Wed Jul 31 10:33:10 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Krishnamraju Eraparaju X-Patchwork-Id: 11067485 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 861761398 for ; Wed, 31 Jul 2019 10:33:52 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 666AA274A3 for ; Wed, 31 Jul 2019 10:33:52 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 5AFB4288FD; Wed, 31 Jul 2019 10:33:52 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 29BD6288EF for ; Wed, 31 Jul 2019 10:33:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387656AbfGaKdu (ORCPT ); Wed, 31 Jul 2019 06:33:50 -0400 Received: from stargate.chelsio.com ([12.32.117.8]:26186 "EHLO stargate.chelsio.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726666AbfGaKdu (ORCPT ); Wed, 31 Jul 2019 06:33:50 -0400 Received: from localhost (budha.blr.asicdesigners.com [10.193.185.4]) by stargate.chelsio.com (8.13.8/8.13.8) with ESMTP id x6VAXjSj021431; Wed, 31 Jul 2019 03:33:47 -0700 From: Krishnamraju Eraparaju To: jgg@ziepe.ca, bmt@zurich.ibm.com Cc: linux-rdma@vger.kernel.org, bharat@chelsio.com, nirranjan@chelsio.com, krishn2@chelsio.com, Krishnamraju Eraparaju Subject: [PATCH for-rc] siw: MPA Reply handler tries to read beyond MPA message Date: Wed, 31 Jul 2019 16:03:10 +0530 Message-Id: <20190731103310.23199-1-krishna2@chelsio.com> X-Mailer: git-send-email 2.23.0.rc0 MIME-Version: 1.0 Sender: linux-rdma-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-rdma@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP while processing MPA Reply, SIW driver is trying to read extra 4 bytes than what peer has advertised as private data length. If a FPDU data is received before even siw_recv_mpa_rr() completed reading MPA reply, then ksock_recv() in siw_recv_mpa_rr() could also read FPDU, if "size" is larger than advertised MPA reply length. 501 static int siw_recv_mpa_rr(struct siw_cep *cep) 502 { ............. 572 573 if (rcvd > to_rcv) 574 return -EPROTO; <----- Failure here Looks like the intention here is to throw an ERROR if the received data is more than the total private data length advertised by the peer. But reading beyond MPA message causes siw_cm to generate RDMA_CM_EVENT_CONNECT_ERROR event when TCP socket recv buffer is already queued with FPDU messages. Hence, this function should only read upto private data length. Signed-off-by: Krishnamraju Eraparaju --- drivers/infiniband/sw/siw/siw_cm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/infiniband/sw/siw/siw_cm.c b/drivers/infiniband/sw/siw/siw_cm.c index a7cde98e73e8..8dc8cea2566c 100644 --- a/drivers/infiniband/sw/siw/siw_cm.c +++ b/drivers/infiniband/sw/siw/siw_cm.c @@ -559,13 +559,13 @@ static int siw_recv_mpa_rr(struct siw_cep *cep) * A private data buffer gets allocated if hdr->params.pd_len != 0. */ if (!cep->mpa.pdata) { - cep->mpa.pdata = kmalloc(pd_len + 4, GFP_KERNEL); + cep->mpa.pdata = kmalloc(pd_len, GFP_KERNEL); if (!cep->mpa.pdata) return -ENOMEM; } rcvd = ksock_recv( s, cep->mpa.pdata + cep->mpa.bytes_rcvd - sizeof(struct mpa_rr), - to_rcv + 4, MSG_DONTWAIT); + to_rcv, MSG_DONTWAIT); if (rcvd < 0) return rcvd;