Hello Chuck Lever,
Commit 78147ca8b4a9 ("svcrdma: Add a "parsed chunk list" data
structure") from Jun 22, 2020 (linux-next), leads to the following
Smatch static checker warning:
net/sunrpc/xprtrdma/svc_rdma_recvfrom.c:498 xdr_check_write_chunk()
warn: potential user controlled sizeof overflow 'segcount * 4 * 4'
net/sunrpc/xprtrdma/svc_rdma_recvfrom.c
488 static bool xdr_check_write_chunk(struct svc_rdma_recv_ctxt *rctxt)
489 {
490 u32 segcount;
491 __be32 *p;
492
493 if (xdr_stream_decode_u32(&rctxt->rc_stream, &segcount))
^^^^^^^^
494 return false;
495
496 /* A bogus segcount causes this buffer overflow check to fail. */
497 p = xdr_inline_decode(&rctxt->rc_stream,
--> 498 segcount * rpcrdma_segment_maxsz * sizeof(*p));
segcount is an untrusted u32. On 32bit systems anything >= SIZE_MAX / 16 will
have an integer overflow and some those values will be accepted by
xdr_inline_decode().
499 return p != NULL;
500 }
regards,
dan carpenter
