diff options
author | Dan Carpenter <dan.carpenter@oracle.com> | 2017-12-05 15:39:23 +0100 |
---|---|---|
committer | Jason Gunthorpe <jgg@mellanox.com> | 2017-12-13 19:00:14 +0100 |
commit | 54a6d63f14bdb4e899bbb4128d32717074d13862 (patch) | |
tree | 1d17148a7f7f7c0c1a5103cdd9f6cd455d81ceb7 /drivers/infiniband/hw/mlx4 | |
parent | RDMA/cxgb4: Add a sanity check in process_work() (diff) | |
download | linux-54a6d63f14bdb4e899bbb4128d32717074d13862.tar.xz linux-54a6d63f14bdb4e899bbb4128d32717074d13862.zip |
IB/mlx4: Potential buffer overflow in _mlx4_set_path()
Smatch complains about this code:
drivers/infiniband/hw/mlx4/qp.c:1827 _mlx4_set_path()
error: buffer overflow 'dev->dev->caps.gid_table_len' 3 <= 255
The mlx4_ib_gid_index_to_real_index() does check that "port" is within
bounds, but we don't check the return value for errors. It seems simple
enough to add a check for that.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Diffstat (limited to 'drivers/infiniband/hw/mlx4')
-rw-r--r-- | drivers/infiniband/hw/mlx4/qp.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c index 013049bcdb53..817257f105aa 100644 --- a/drivers/infiniband/hw/mlx4/qp.c +++ b/drivers/infiniband/hw/mlx4/qp.c @@ -1824,6 +1824,8 @@ static int _mlx4_set_path(struct mlx4_ib_dev *dev, mlx4_ib_gid_index_to_real_index(dev, port, grh->sgid_index); + if (real_sgid_index < 0) + return real_sgid_index; if (real_sgid_index >= dev->dev->caps.gid_table_len[port]) { pr_err("sgid_index (%u) too large. max is %d\n", real_sgid_index, dev->dev->caps.gid_table_len[port] - 1); |