Message ID | 1362363491-24501-1-git-send-email-amwang@redhat.com |
---|---|
State | Accepted, archived |
Delegated to: | David Miller |
Headers | show |
On 3/3/2013 8:18 PM, Cong Wang wrote: > From: Cong Wang <amwang@redhat.com> > > Dave Jones reported the following bug: > > "When fed mangled socket data, rds will trust what userspace gives it, > and tries to allocate enormous amounts of memory larger than what > kmalloc can satisfy." > > Reported-by: Dave Jones <davej@redhat.com> > Cc: Dave Jones <davej@redhat.com> > Cc: David S. Miller <davem@davemloft.net> > Cc: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com> > Signed-off-by: Cong Wang <amwang@redhat.com> > Acked-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com> -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
From: Cong Wang <amwang@redhat.com> Date: Mon, 4 Mar 2013 10:18:11 +0800 > From: Cong Wang <amwang@redhat.com> > > Dave Jones reported the following bug: > > "When fed mangled socket data, rds will trust what userspace gives it, > and tries to allocate enormous amounts of memory larger than what > kmalloc can satisfy." ... > Reported-by: Dave Jones <davej@redhat.com> > Cc: Dave Jones <davej@redhat.com> > Cc: David S. Miller <davem@davemloft.net> > Cc: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com> > Signed-off-by: Cong Wang <amwang@redhat.com> Applied and queued up for -stable, thanks. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/rds/message.c b/net/rds/message.c index f0a4658..aff589c 100644 --- a/net/rds/message.c +++ b/net/rds/message.c @@ -197,6 +197,9 @@ struct rds_message *rds_message_alloc(unsigned int extra_len, gfp_t gfp) { struct rds_message *rm; + if (extra_len > KMALLOC_MAX_SIZE - sizeof(struct rds_message)) + return NULL; + rm = kzalloc(sizeof(struct rds_message) + extra_len, gfp); if (!rm) goto out;