]> git.baikalelectronics.ru Git - kernel.git/commit
RDMA/nes: Fix possible array overrun
authorRoland Dreier <rolandd@cisco.com>
Mon, 18 Feb 2008 18:33:59 +0000 (10:33 -0800)
committerRoland Dreier <rolandd@cisco.com>
Mon, 18 Feb 2008 18:33:59 +0000 (10:33 -0800)
commitb670674b8618a3351c80fab1b4e67ba9d75a5d8a
tree5d82fbb684c0adc0a01f2277f93fab7da2ac3810
parent44c72431dc2cea87d629d3607a57656dc9fa5879
RDMA/nes: Fix possible array overrun

In nes_create_qp(), the test

if (nesqp->mmap_sq_db_index > NES_MAX_USER_WQ_REGIONS) {

is used to error out if the db_index is too large; however, if the
test doesn't trigger, then the index is used as

nes_ucontext->mmap_nesqp[nesqp->mmap_sq_db_index] = nesqp;

and mmap_nesqp is declared as

struct nes_qp      *mmap_nesqp[NES_MAX_USER_WQ_REGIONS];

which leads to an array overrun if the index is exactly equal to
NES_MAX_USER_WQ_REGIONS.  Fix this by bailing out if the index is
greater than or equal to NES_MAX_USER_WQ_REGIONS.

This was spotted by the Coverity checker (CID 2162).

Acked-by: Glenn Streiff <gstreiff@neteffect.com>
Signed-off-by: Roland Dreier <rolandd@cisco.com>
drivers/infiniband/hw/nes/nes_verbs.c