From: Tianchu Chen Discovered by Atuin - Automated Vulnerability Discovery Engine. Reject DataReply payload lengths that cannot fit in recv_dless_read()'s signed size argument so a bogus remote peer cannot wrap the length negative and turn it into a huge heap OOB-write. Fixes: b411b3637fa7 ("The DRBD driver") Cc: stable@vger.kernel.org Signed-off-by: Tianchu Chen --- drivers/block/drbd/drbd_receiver.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c index 58b95bf4b..5bd3df483 100644 --- a/drivers/block/drbd/drbd_receiver.c +++ b/drivers/block/drbd/drbd_receiver.c @@ -24,6 +24,7 @@ #include #include #include +#include #include #include #include @@ -1947,6 +1948,9 @@ static int receive_DataReply(struct drbd_connection *connection, struct packet_i if (unlikely(!req)) return -EIO; + if (pi->size > INT_MAX) + return -EINVAL; + err = recv_dless_read(peer_device, req, sector, pi->size); if (!err) req_mod(req, DATA_RECEIVED, peer_device); -- 2.51.0