From 4266332a8ea23572ac35692bac833f57951033fc Mon Sep 17 00:00:00 2001 From: Alexander Motin Date: Mon, 13 Jul 2026 06:36:19 -0400 Subject: [PATCH] NTB: ntb_transport: validate length in frame header In case consumer provide receive buffer bigger than frame size, misbehaving peer can cause read beyond the frame end. Explicit check should prevent it. (cherry picked from commit fb01b8b315fd4812933e205028c788b95f4fa2d3) --- drivers/ntb/ntb_transport.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/drivers/ntb/ntb_transport.c b/drivers/ntb/ntb_transport.c index 46928f426209..3bc0d68f32f5 100644 --- a/drivers/ntb/ntb_transport.c +++ b/drivers/ntb/ntb_transport.c @@ -1806,7 +1806,18 @@ static int ntb_process_rxc(struct ntb_transport_qp *qp) entry->rx_hdr = hdr; entry->rx_index = qp->rx_index; - if (hdr->len > entry->len) { + if (hdr->len > qp->rx_max_frame - sizeof(struct ntb_payload_header)) { + dev_err_ratelimited(&qp->ndev->pdev->dev, + "qp %d: RX frame too large from peer: %u > %zu\n", + qp->qp_num, hdr->len, + qp->rx_max_frame - sizeof(struct ntb_payload_header)); + qp->rx_err_oflow++; + + entry->len = -EIO; + entry->flags |= DESC_DONE_FLAG; + + ntb_complete_rxc(qp); + } else if (hdr->len > entry->len) { dev_dbg(&qp->ndev->pdev->dev, "receive buffer overflow! Wanted %d got %d\n", hdr->len, entry->len);