RDMA/rxe: Fix packet length checks

Commit Message

Bob Pearson May 17, 2023, 5:20 p.m. UTC

In rxe_net.c a received packet, from udp or loopback, is passed
to rxe_rcv() in rxe_recv.c as a udp packet. I.e. skb->data is
pointing at the udp header. But rxe_rcv() makes length checks
to verify the packet is long enough to hold the roce headers as
if it were a roce packet. I.e. skb->data pointing at the bth
header. A runt packet would appear to have 8 more bytes than it
actually does which may lead to incorrect behavior.

This patch calls skb_pull() to adjust the skb to point at the
bth header before calling rxe_rcv() which fixes this error.

Fixes: 8700e3e7c485 ("Soft RoCE driver")
Signed-off-by: Bob Pearson <rpearsonhpe@gmail.com>
---
 drivers/infiniband/sw/rxe/rxe_net.c | 6 ++++++
 1 file changed, 6 insertions(+)

Comments

Bob Pearson May 17, 2023, 5:23 p.m. UTC | #1

On 5/17/23 12:20, Bob Pearson wrote:
> In rxe_net.c a received packet, from udp or loopback, is passed
> to rxe_rcv() in rxe_recv.c as a udp packet. I.e. skb->data is
> pointing at the udp header. But rxe_rcv() makes length checks
> to verify the packet is long enough to hold the roce headers as
> if it were a roce packet. I.e. skb->data pointing at the bth
> header. A runt packet would appear to have 8 more bytes than it
> actually does which may lead to incorrect behavior.
> 
> This patch calls skb_pull() to adjust the skb to point at the
> bth header before calling rxe_rcv() which fixes this error.
> 
> Fixes: 8700e3e7c485 ("Soft RoCE driver")
> Signed-off-by: Bob Pearson <rpearsonhpe@gmail.com>
> ---
>  drivers/infiniband/sw/rxe/rxe_net.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/drivers/infiniband/sw/rxe/rxe_net.c b/drivers/infiniband/sw/rxe/rxe_net.c
> index 2bc7361152ea..26b90b8607ef 100644
> --- a/drivers/infiniband/sw/rxe/rxe_net.c
> +++ b/drivers/infiniband/sw/rxe/rxe_net.c
> @@ -159,6 +159,9 @@ static int rxe_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
>  	pkt->mask = RXE_GRH_MASK;
>  	pkt->paylen = be16_to_cpu(udph->len) - sizeof(*udph);
>  
> +	/* remove udp header */
> +	skb_pull(skb, sizeof(struct udphdr));
> +
>  	rxe_rcv(skb);
>  
>  	return 0;
> @@ -401,6 +404,9 @@ static int rxe_loopback(struct sk_buff *skb, struct rxe_pkt_info *pkt)
>  		return -EIO;
>  	}
>  
> +	/* remove udp header */
> +	skb_pull(skb, sizeof(struct udphdr));
> +
>  	rxe_rcv(skb);
>  
>  	return 0;

Ignore this. Should have been for-next.

Patch

diff --git a/drivers/infiniband/sw/rxe/rxe_net.c b/drivers/infiniband/sw/rxe/rxe_net.c
index 2bc7361152ea..26b90b8607ef 100644
--- a/drivers/infiniband/sw/rxe/rxe_net.c
+++ b/drivers/infiniband/sw/rxe/rxe_net.c
@@ -159,6 +159,9 @@  static int rxe_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
 	pkt->mask = RXE_GRH_MASK;
 	pkt->paylen = be16_to_cpu(udph->len) - sizeof(*udph);
 
+	/* remove udp header */
+	skb_pull(skb, sizeof(struct udphdr));
+
 	rxe_rcv(skb);
 
 	return 0;
@@ -401,6 +404,9 @@  static int rxe_loopback(struct sk_buff *skb, struct rxe_pkt_info *pkt)
 		return -EIO;
 	}
 
+	/* remove udp header */
+	skb_pull(skb, sizeof(struct udphdr));
+
 	rxe_rcv(skb);
 
 	return 0;