summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDan Carpenter <dan.carpenter@oracle.com>2017-12-05 15:36:54 +0100
committerJason Gunthorpe <jgg@mellanox.com>2017-12-13 19:00:13 +0100
commitccc04cdd55d8cfa7376ba96a037ba0f1b3df33c7 (patch)
treea16216a98da32b58300b4162e912cd7cc8c946b0
parentiw_cxgb4: make pointer reg_workq static (diff)
downloadlinux-ccc04cdd55d8cfa7376ba96a037ba0f1b3df33c7.tar.xz
linux-ccc04cdd55d8cfa7376ba96a037ba0f1b3df33c7.zip
RDMA/cxgb4: Add a sanity check in process_work()
The story is that Smatch marks skb->data as untrusted so it generates a warning message here: drivers/infiniband/hw/cxgb4/cm.c:4100 process_work() error: buffer overflow 'work_handlers' 241 <= 255 In other places which handle this such as t4_uld_rx_handler() there is some checking to make sure that the function pointer is not NULL. I have added bounds checking and a check for NULL here as well. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Steve Wise <swise@opengridcomputing.com> Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
-rw-r--r--drivers/infiniband/hw/cxgb4/cm.c10
1 files changed, 8 insertions, 2 deletions
diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c
index 21db3b48a617..844c9e78df8b 100644
--- a/drivers/infiniband/hw/cxgb4/cm.c
+++ b/drivers/infiniband/hw/cxgb4/cm.c
@@ -4097,9 +4097,15 @@ static void process_work(struct work_struct *work)
dev = *((struct c4iw_dev **) (skb->cb + sizeof(void *)));
opcode = rpl->ot.opcode;
- ret = work_handlers[opcode](dev, skb);
- if (!ret)
+ if (opcode >= ARRAY_SIZE(work_handlers) ||
+ !work_handlers[opcode]) {
+ pr_err("No handler for opcode 0x%x.\n", opcode);
kfree_skb(skb);
+ } else {
+ ret = work_handlers[opcode](dev, skb);
+ if (!ret)
+ kfree_skb(skb);
+ }
process_timedout_eps();
}
}