From c9af896314e33885fc91e86f531bea7e7dd1f9f3 Mon Sep 17 00:00:00 2001 From: Michael Brown Date: Wed, 30 Mar 2016 07:27:09 +0100 Subject: [PATCH] [linda] Validate payload length There is no way for the hardware to give us an invalid length in the LRH, since it must have parsed this length field in order to perform header splitting. However, this is difficult to prove conclusively. Add an unnecessary length check to explicitly reject any packets larger than the posted receive I/O buffer. Signed-off-by: Michael Brown --- src/drivers/infiniband/linda.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/src/drivers/infiniband/linda.c b/src/drivers/infiniband/linda.c index 391fff429..77d50d110 100644 --- a/src/drivers/infiniband/linda.c +++ b/src/drivers/infiniband/linda.c @@ -1271,8 +1271,15 @@ static void linda_complete_recv ( struct ib_device *ibdev, /* Completing the eager buffer described in * this header entry. */ - iob_put ( iobuf, payload_len ); - rc = ( err ? -EIO : ( useegrbfr ? 0 : -ECANCELED ) ); + if ( payload_len <= iob_tailroom ( iobuf ) ) { + iob_put ( iobuf, payload_len ); + rc = ( err ? + -EIO : ( useegrbfr ? 0 : -ECANCELED ) ); + } else { + DBGC ( linda, "Linda %p bad payload len %zd\n", + linda, payload_len ); + rc = -EPROTO; + } /* Redirect to target QP if necessary */ if ( qp != intended_qp ) { DBGC ( linda, "Linda %p redirecting QPN %ld " @@ -1283,7 +1290,7 @@ static void linda_complete_recv ( struct ib_device *ibdev, intended_qp->recv.fill++; } ib_complete_recv ( ibdev, intended_qp, &dest, &source, - iobuf, rc); + iobuf, rc ); } else { /* Completing on a skipped-over eager buffer */ ib_complete_recv ( ibdev, qp, &dest, &source, iobuf,