diff options
| author |   Dan Carpenter <dan.carpenter@oracle.com> | 2017-12-05 17:36:54 +0300 |
|---|---|---|
| committer |   Jason Gunthorpe <jgg@mellanox.com> | 2017-12-13 11:00:13 -0700 |
| commit | ccc04cdd55d8cfa7376ba96a037ba0f1b3df33c7 (patch) | |
| tree | a16216a98da32b58300b4162e912cd7cc8c946b0 /drivers/infiniband/hw/cxgb4/cm.c | |
| parent | iw_cxgb4: make pointer reg_workq static (diff) | |
| download | linux-dev-ccc04cdd55d8cfa7376ba96a037ba0f1b3df33c7.tar.xz linux-dev-ccc04cdd55d8cfa7376ba96a037ba0f1b3df33c7.zip | |
RDMA/cxgb4: Add a sanity check in process_work()
The story is that Smatch marks skb->data as untrusted so it generates
a warning message here:
drivers/infiniband/hw/cxgb4/cm.c:4100 process_work()
error: buffer overflow 'work_handlers' 241 <= 255
In other places which handle this such as t4_uld_rx_handler() there is
some checking to make sure that the function pointer is not NULL. I
have added bounds checking and a check for NULL here as well.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Steve Wise <swise@opengridcomputing.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Diffstat (limited to '')
| -rw-r--r-- | drivers/infiniband/hw/cxgb4/cm.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c index 21db3b48a617..844c9e78df8b 100644 --- a/drivers/infiniband/hw/cxgb4/cm.c +++ b/drivers/infiniband/hw/cxgb4/cm.c @@ -4097,9 +4097,15 @@ static void process_work(struct work_struct *work) dev = *((struct c4iw_dev **) (skb->cb + sizeof(void *))); opcode = rpl->ot.opcode; - ret = work_handlers[opcode](dev, skb); - if (!ret) + if (opcode >= ARRAY_SIZE(work_handlers) || + !work_handlers[opcode]) { + pr_err("No handler for opcode 0x%x.\n", opcode); kfree_skb(skb); + } else { + ret = work_handlers[opcode](dev, skb); + if (!ret) + kfree_skb(skb); + } process_timedout_eps(); } } |