Procházet zdrojové kódy

[linda] Validate payload length

There is no way for the hardware to give us an invalid length in the
LRH, since it must have parsed this length field in order to perform
header splitting.  However, this is difficult to prove conclusively.

Add an unnecessary length check to explicitly reject any packets
larger than the posted receive I/O buffer.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
tags/v1.20.1
Michael Brown před 8 roky
rodič
revize
c9af896314
1 změnil soubory, kde provedl 10 přidání a 3 odebrání
  1. 10
    3
      src/drivers/infiniband/linda.c

+ 10
- 3
src/drivers/infiniband/linda.c Zobrazit soubor

@@ -1271,8 +1271,15 @@ static void linda_complete_recv ( struct ib_device *ibdev,
1271 1271
 			/* Completing the eager buffer described in
1272 1272
 			 * this header entry.
1273 1273
 			 */
1274
-			iob_put ( iobuf, payload_len );
1275
-			rc = ( err ? -EIO : ( useegrbfr ? 0 : -ECANCELED ) );
1274
+			if ( payload_len <= iob_tailroom ( iobuf ) ) {
1275
+				iob_put ( iobuf, payload_len );
1276
+				rc = ( err ?
1277
+				       -EIO : ( useegrbfr ? 0 : -ECANCELED ) );
1278
+			} else {
1279
+				DBGC ( linda, "Linda %p bad payload len %zd\n",
1280
+				       linda, payload_len );
1281
+				rc = -EPROTO;
1282
+			}
1276 1283
 			/* Redirect to target QP if necessary */
1277 1284
 			if ( qp != intended_qp ) {
1278 1285
 				DBGC ( linda, "Linda %p redirecting QPN %ld "
@@ -1283,7 +1290,7 @@ static void linda_complete_recv ( struct ib_device *ibdev,
1283 1290
 				intended_qp->recv.fill++;
1284 1291
 			}
1285 1292
 			ib_complete_recv ( ibdev, intended_qp, &dest, &source,
1286
-					   iobuf, rc);
1293
+					   iobuf, rc );
1287 1294
 		} else {
1288 1295
 			/* Completing on a skipped-over eager buffer */
1289 1296
 			ib_complete_recv ( ibdev, qp, &dest, &source, iobuf,

Načítá se…
Zrušit
Uložit