[PATCH] drbd: reject data replies with an out-of-range payload size

Jens Axboe axboe at kernel.dk
Fri Jul 10 17:09:05 CEST 2026


On Thu, 09 Jul 2026 22:28:37 -0400, Michael Bommarito wrote:
> recv_dless_read() receives a P_DATA_REPLY from a peer into the bio of an
> outstanding read request. The peer-supplied payload length reaches it as
> the signed int data_size, and two peer-controlled inputs can make it
> negative. With a negotiated data-integrity-alg the digest length is
> subtracted first, so a reply whose payload is smaller than the digest
> underflows data_size. With no integrity algorithm (the default) data_size
> is assigned from the unsigned h95/h100 wire length and drbdd() never
> bounds it for a payload-carrying command, so a length above INT_MAX casts
> it negative; this path needs no non-default feature. The bio receive loop
> then computes expect = min_t(int, data_size, bv_len), which is negative,
> and drbd_recv_all_warn(mapped, expect) receives with a size_t of SIZE_MAX
> into the first mapped page.
> 
> [...]

Applied, thanks!

[1/1] drbd: reject data replies with an out-of-range payload size
      commit: bd910a7660d280595ef94cb6d193951d855d330f

Best regards,
-- 
Jens Axboe





More information about the drbd-dev mailing list