Commit 7244491d authored Apr 01, 2026 by hkbinbin Committed by Jason Gunthorpe Apr 09, 2026

RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv

rxe_rcv() currently checks only that the incoming packet is at least
header_size(pkt) bytes long before payload_size() is used.

However, payload_size() subtracts both the attacker-controlled BTH pad
field and RXE_ICRC_SIZE from pkt->paylen:

  payload_size = pkt->paylen - offset[RXE_PAYLOAD] - bth_pad(pkt)
                 - RXE_ICRC_SIZE

This means a short packet can still make payload_size() underflow even
if it includes enough bytes for the fixed headers. Simply requiring
header_size(pkt) + RXE_ICRC_SIZE is not sufficient either, because a
packet with a forged non-zero BTH pad can still leave payload_size()
negative and pass an underflowed value to later receive-path users.

Fix this by validating pkt->paylen against the full minimum length
required by payload_size(): header_size(pkt) + bth_pad(pkt) +
RXE_ICRC_SIZE.

Cc: stable@vger.kernel.org
Fixes: 8700e3e7 ("Soft RoCE driver")
Link: https://patch.msgid.link/r/20260401121907.1468366-1-hkbinbinbin@gmail.com


Signed-off-by: hkbinbin <hkbinbinbin@gmail.com>
Reviewed-by: Zhu Yanjun <yanjun.zhu@linux.dev>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>

parent 6ed3d14f

drivers/infiniband/sw/rxe/rxe_recv.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -330,7 +330,8 @@ void rxe_rcv(struct sk_buff *skb)
		pkt->qp = NULL;
		pkt->mask \|= rxe_opcode[pkt->opcode].mask;

		if (unlikely(skb->len < header_size(pkt)))
		if (unlikely(pkt->paylen < header_size(pkt) + bth_pad(pkt) +
		RXE_ICRC_SIZE))
		goto drop;

		err = hdr_check(pkt);