aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDan Carpenter <dan.carpenter@oracle.com>2017-12-05 17:39:23 +0300
committerJason Gunthorpe <jgg@mellanox.com>2017-12-13 11:00:14 -0700
commit54a6d63f14bdb4e899bbb4128d32717074d13862 (patch)
tree1d17148a7f7f7c0c1a5103cdd9f6cd455d81ceb7
parentRDMA/cxgb4: Add a sanity check in process_work() (diff)
downloadlinux-dev-54a6d63f14bdb4e899bbb4128d32717074d13862.tar.xz
linux-dev-54a6d63f14bdb4e899bbb4128d32717074d13862.zip
IB/mlx4: Potential buffer overflow in _mlx4_set_path()
Smatch complains about this code: drivers/infiniband/hw/mlx4/qp.c:1827 _mlx4_set_path() error: buffer overflow 'dev->dev->caps.gid_table_len' 3 <= 255 The mlx4_ib_gid_index_to_real_index() does check that "port" is within bounds, but we don't check the return value for errors. It seems simple enough to add a check for that. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: Leon Romanovsky <leonro@mellanox.com> Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
-rw-r--r--drivers/infiniband/hw/mlx4/qp.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c
index 013049bcdb53..817257f105aa 100644
--- a/drivers/infiniband/hw/mlx4/qp.c
+++ b/drivers/infiniband/hw/mlx4/qp.c
@@ -1824,6 +1824,8 @@ static int _mlx4_set_path(struct mlx4_ib_dev *dev,
mlx4_ib_gid_index_to_real_index(dev, port,
grh->sgid_index);
+ if (real_sgid_index < 0)
+ return real_sgid_index;
if (real_sgid_index >= dev->dev->caps.gid_table_len[port]) {
pr_err("sgid_index (%u) too large. max is %d\n",
real_sgid_index, dev->dev->caps.gid_table_len[port] - 1);