Browse Source

[qib7322] Validate payload length

There is no way for the hardware to give us an invalid length in the
LRH, since it must have parsed this length field in order to perform
header splitting.  However, this is difficult to prove conclusively.

Add an unnecessary length check to explicitly reject any packets
larger than the posted receive I/O buffer.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
tags/v1.20.1
Michael Brown 8 years ago
parent
commit
597521ef53
1 changed files with 10 additions and 3 deletions
  1. 10
    3
      src/drivers/infiniband/qib7322.c

+ 10
- 3
src/drivers/infiniband/qib7322.c View File

@@ -1507,8 +1507,15 @@ static void qib7322_complete_recv ( struct ib_device *ibdev,
1507 1507
 			/* Completing the eager buffer described in
1508 1508
 			 * this header entry.
1509 1509
 			 */
1510
-			iob_put ( iobuf, payload_len );
1511
-			rc = ( err ? -EIO : ( useegrbfr ? 0 : -ECANCELED ) );
1510
+			if ( payload_len <= iob_tailroom ( iobuf ) ) {
1511
+				iob_put ( iobuf, payload_len );
1512
+				rc = ( err ?
1513
+				       -EIO : ( useegrbfr ? 0 : -ECANCELED ) );
1514
+			} else {
1515
+				DBGC ( qib7322, "QIB7322 %p bad payload len "
1516
+				       "%zd\n", qib7322, payload_len );
1517
+				rc = -EPROTO;
1518
+			}
1512 1519
 			/* Redirect to target QP if necessary */
1513 1520
 			if ( qp != intended_qp ) {
1514 1521
 				DBGC2 ( qib7322, "QIB7322 %p redirecting QPN "
@@ -1519,7 +1526,7 @@ static void qib7322_complete_recv ( struct ib_device *ibdev,
1519 1526
 				intended_qp->recv.fill++;
1520 1527
 			}
1521 1528
 			ib_complete_recv ( ibdev, intended_qp, &dest, &source,
1522
-					   iobuf, rc);
1529
+					   iobuf, rc );
1523 1530
 		} else {
1524 1531
 			/* Completing on a skipped-over eager buffer */
1525 1532
 			ib_complete_recv ( ibdev, qp, &dest, &source, iobuf,

Loading…
Cancel
Save