korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2025-01-18 11:54:37 +08:00
Code Issues Packages Projects Releases Wiki Activity

IB/mad: Check hop count field in directed route MAD to avoid array overflow

Browse Source 
The hop count field in a directed route MAD is only allowed to be in the
range 0 to 63 (by spec).  Check that this really is the case to avoid
accessing outside the bounds of the hop array.

Reported-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: Roland Dreier <rolandd@cisco.com>
This commit is contained in:
Roland Dreier 2009-09-05 20:24:10 -07:00
parent e07cccf404
commit 60f2b652f5
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
drivers/infiniband/core/smi.c
View File

@ -52,6 +52,10 @@ enum smi_action smi_handle_dr_smp_send(struct ib_smp *smp,
hop_cnt = smp->hop_cnt; hop_cnt = smp->hop_cnt;
/* See section 14.2.2.2, Vol 1 IB spec */ /* See section 14.2.2.2, Vol 1 IB spec */
/* C14-6 -- valid hop_cnt values are from 0 to 63 */
if (hop_cnt >= IB_SMP_MAX_PATH_HOPS)
return IB_SMI_DISCARD;
if (!ib_get_smp_direction(smp)) { if (!ib_get_smp_direction(smp)) {
/* C14-9:1 */ /* C14-9:1 */
if (hop_cnt && hop_ptr == 0) { if (hop_cnt && hop_ptr == 0) {
@ -133,6 +137,10 @@ enum smi_action smi_handle_dr_smp_recv(struct ib_smp *smp, u8 node_type,
hop_cnt = smp->hop_cnt; hop_cnt = smp->hop_cnt;
/* See section 14.2.2.2, Vol 1 IB spec */ /* See section 14.2.2.2, Vol 1 IB spec */
/* C14-6 -- valid hop_cnt values are from 0 to 63 */
if (hop_cnt >= IB_SMP_MAX_PATH_HOPS)
return IB_SMI_DISCARD;
if (!ib_get_smp_direction(smp)) { if (!ib_get_smp_direction(smp)) {
/* C14-9:1 -- sender should have incremented hop_ptr */ /* C14-9:1 -- sender should have incremented hop_ptr */
if (hop_cnt && hop_ptr == 0) if (hop_cnt && hop_ptr == 0)