[PATCH] drbd: reject oversized DataReply before signed conversion
Christoph Böhmwalder
christoph.boehmwalder at linbit.com
Fri Jul 10 12:34:42 CEST 2026
On Tue, Jun 30, 2026 at 10:59:31AM +0000, Tianchu Chen wrote:
>From: Tianchu Chen <flynnnchen at tencent.com>
>
>Discovered by Atuin - Automated Vulnerability Discovery Engine.
>
>Reject DataReply payload lengths that cannot fit in recv_dless_read()'s
>signed size argument so a bogus remote peer cannot wrap the length negative
>and turn it into a huge heap OOB-write.
>
>Fixes: b411b3637fa7 ("The DRBD driver")
>Cc: stable at vger.kernel.org
>Signed-off-by: Tianchu Chen <flynnnchen at tencent.com>
This is similar to [0], but the mentioned patch is a more complete fix.
There is also a case in recv_dless_read where data_size can underflow
when a data-integrity-alg is configured.
The other patch catches this case as well by placing the guard later, so
I would prefer to apply that one instead of this.
Thanks,
Christoph
[0] https://lore.kernel.org/all/20260710022837.3738461-1-michael.bommarito@gmail.com/
More information about the drbd-dev
mailing list