In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Reject unknown opcodes before ICRC processing Even after applying commit 7244491dab34 ("RDMA/rxe: Validate pad and ICRC before payloadsize() in rxercv"), a single unauthenticated UDP packet can still trigger panic. That patch handled payloadsize() underflow only for valid opcodes with short packets, not for packets carrying an unknown opcode. The unknown-opcode OOB read described below predates that commit and reaches back to the initial Soft RoCE driver. The check added there reads pkt->paylen < headersize(pkt) + bthpad(pkt) + RXEICRCSIZE where headersize(pkt) expands to rxeopcode[pkt->opcode].length. The rxeopcode[] array has 256 entries but is only populated for defined IB opcodes; any other entry (for example opcode 0xff) is zero-initialized, so length == 0 and the check degenerates to pkt->paylen < 0 + bthpad(pkt) + RXEICRCSIZE which does not constrain pkt->paylen enough. rxeicrchdr() then computes rxeopcode[pkt->opcode].length - RXEBTHBYTES which underflows when length == 0 and passes a huge value to rxecrc32(), causing an out-of-bounds read of the skb payload. Reproduced on v7.0-rc7 with that fix applied, QEMU/KVM with CONFIGRDMARXE=y and CONFIGKASAN=y, after rdma link add rxe0 type rxe netdev eth0 A single 48-byte UDP packet to port 4791 with BTH opcode=0xff and QPN=IBMULTICASTQPN triggers: BUG: KASAN: slab-out-of-bounds in crc32le+0x115/0x170 Read of size 1 at addr ... The buggy address is located 0 bytes to the right of allocated 704-byte region Call Trace: crc32le+0x115/0x170 rxeicrchdr.isra.0+0x226/0x300 rxeicrccheck+0x13f/0x3a0 rxercv+0x6e1/0x16e0 rxeudpencaprecv+0x20a/0x320 udpqueuercvoneskb+0x7ed/0x12c0 Subsequent packets with the same shape fault on unmapped memory and panic the kernel. The trigger requires only module load and "rdma link add"; no QP, no connection, and no authentication. Fix this by rejecting packets whose opcode has no rxe_opcode[] entry, detected via the zero mask or zero length, before any length arithmetic runs.