git.baikalelectronics.ru Git - kernel.git/commit

author	Roland Dreier <rolandd@cisco.com>
	Mon, 18 Feb 2008 18:33:59 +0000 (10:33 -0800)
committer	Roland Dreier <rolandd@cisco.com>
	Mon, 18 Feb 2008 18:33:59 +0000 (10:33 -0800)
commit	b670674b8618a3351c80fab1b4e67ba9d75a5d8a
tree	5d82fbb684c0adc0a01f2277f93fab7da2ac3810	tree \| snapshot
parent	44c72431dc2cea87d629d3607a57656dc9fa5879	commit \| diff

RDMA/nes: Fix possible array overrun

In nes_create_qp(), the test

if (nesqp->mmap_sq_db_index > NES_MAX_USER_WQ_REGIONS) {

is used to error out if the db_index is too large; however, if the
test doesn't trigger, then the index is used as

nes_ucontext->mmap_nesqp[nesqp->mmap_sq_db_index] = nesqp;

and mmap_nesqp is declared as

struct nes_qp *mmap_nesqp[NES_MAX_USER_WQ_REGIONS];

which leads to an array overrun if the index is exactly equal to
NES_MAX_USER_WQ_REGIONS. Fix this by bailing out if the index is
greater than or equal to NES_MAX_USER_WQ_REGIONS.

This was spotted by the Coverity checker (CID 2162).

Acked-by: Glenn Streiff <gstreiff@neteffect.com>
Signed-off-by: Roland Dreier <rolandd@cisco.com>