CVE-2024-40992

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/rxe: Fix responder length checking for UD request packets<br /> <br /> According to the IBA specification:<br /> If a UD request packet is detected with an invalid length, the request<br /> shall be an invalid request and it shall be silently dropped by<br /> the responder. The responder then waits for a new request packet.<br /> <br /> commit 689c5421bfe0 ("RDMA/rxe: Fix incorrect responder length checking")<br /> defers responder length check for UD QPs in function `copy_data`.<br /> But it introduces a regression issue for UD QPs.<br /> <br /> When the packet size is too large to fit in the receive buffer.<br /> `copy_data` will return error code -EINVAL. Then `send_data_in`<br /> will return RESPST_ERR_MALFORMED_WQE. UD QP will transfer into<br /> ERROR state.