From 21f369932aec4e9bbe1a08c796a71e7a6980b662 Mon Sep 17 00:00:00 2001 From: Alexander Motin Date: Mon, 13 Jul 2026 06:36:19 -0400 Subject: [PATCH] NTB: ntb_transport: validate length in frame header In case consumer provide receive buffer bigger than frame size, misbehaving peer can cause read beyond the frame end. Explicit check should prevent it. (cherry picked from commit fb01b8b315fd4812933e205028c788b95f4fa2d3) --- drivers/ntb/ntb_transport.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/drivers/ntb/ntb_transport.c b/drivers/ntb/ntb_transport.c index f7a2d6bd1c14..b692987b6515 100644 --- a/drivers/ntb/ntb_transport.c +++ b/drivers/ntb/ntb_transport.c @@ -1798,7 +1798,18 @@ static int ntb_process_rxc(struct ntb_transport_qp *qp) entry->rx_hdr = hdr; entry->rx_index = qp->rx_index; - if (hdr->len > entry->len) { + if (hdr->len > qp->rx_max_frame - sizeof(struct ntb_payload_header)) { + dev_err_ratelimited(&qp->ndev->pdev->dev, + "qp %d: RX frame too large from peer: %u > %zu\n", + qp->qp_num, hdr->len, + qp->rx_max_frame - sizeof(struct ntb_payload_header)); + qp->rx_err_oflow++; + + entry->len = -EIO; + entry->flags |= DESC_DONE_FLAG; + + ntb_complete_rxc(qp); + } else if (hdr->len > entry->len) { dev_dbg(&qp->ndev->pdev->dev, "receive buffer overflow! Wanted %d got %d\n", hdr->len, entry->len);