CVE-2011-1023 kernel: rds: prevent BUG_ON triggering on congestion map updates

[Eugene Teo <eugene () redhat com>]

This was discovered internally when testing CVE-2010-3904.

http://marc.info/?l=linux-netdev&m=129908332903057&w=2

"Tracked it down to a flaw in the xmit methods for the loop and ib 
transports. Those two transports, when called with an rds message that 
has the RDS_FLAG_CONG_BITMAP set, execute a rds_cong_map_updated call 
and return.  Since the xmit method requires that the number of bytes 
sent be returned, and a congestion map update doesn't really send any 
data, it just returns the sizeof an rds_header plus the defined size of 
the congestion map.  This is problematic because the caller of these 
methods (rds_send_xmit), validates that we didn't send more data than 
was available in the passed rds_message.  If the return value from 
->xmit() is larger than the remaining data in the message, we bug halt, 
which is exactly what we get above.  We could add a check to skip the 
bug on check if the RDS_FLAG_CONG_BITMAP flag is set, but I think the 
check is otherwise valid, so I've fixed it with this patch, which limits 
the return value in the effected transports to not be more than the 
remainig space in the rds_message."

Thanks, Eugene
--
Eugene Teo / Red Hat Security Response Team