提交 54a6d63f 编写于 作者: D Dan Carpenter 提交者: Jason Gunthorpe

IB/mlx4: Potential buffer overflow in _mlx4_set_path()

Smatch complains about this code:

    drivers/infiniband/hw/mlx4/qp.c:1827 _mlx4_set_path()
    error: buffer overflow 'dev->dev->caps.gid_table_len' 3 <= 255

The mlx4_ib_gid_index_to_real_index() does check that "port" is within
bounds, but we don't check the return value for errors.  It seems simple
enough to add a check for that.
Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: NLeon Romanovsky <leonro@mellanox.com>
Signed-off-by: NJason Gunthorpe <jgg@mellanox.com>
上级 ccc04cdd
...@@ -1824,6 +1824,8 @@ static int _mlx4_set_path(struct mlx4_ib_dev *dev, ...@@ -1824,6 +1824,8 @@ static int _mlx4_set_path(struct mlx4_ib_dev *dev,
mlx4_ib_gid_index_to_real_index(dev, port, mlx4_ib_gid_index_to_real_index(dev, port,
grh->sgid_index); grh->sgid_index);
if (real_sgid_index < 0)
return real_sgid_index;
if (real_sgid_index >= dev->dev->caps.gid_table_len[port]) { if (real_sgid_index >= dev->dev->caps.gid_table_len[port]) {
pr_err("sgid_index (%u) too large. max is %d\n", pr_err("sgid_index (%u) too large. max is %d\n",
real_sgid_index, dev->dev->caps.gid_table_len[port] - 1); real_sgid_index, dev->dev->caps.gid_table_len[port] - 1);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册