In nes_create_qp(), the test
if (nesqp->mmap_sq_db_index > NES_MAX_USER_WQ_REGIONS) {
is used to error out if the db_index is too large; however, if the
test doesn't trigger, then the index is used as
nes_ucontext->mmap_nesqp[nesqp->mmap_sq_db_index] = nesqp;
and mmap_nesqp is declared as
struct nes_qp *mmap_nesqp[NES_MAX_USER_WQ_REGIONS];
which leads to an array overrun if the index is exactly equal to
NES_MAX_USER_WQ_REGIONS. Fix this by bailing out if the index is
greater than or equal to NES_MAX_USER_WQ_REGIONS.
This was spotted by the Coverity checker (CID 2162).
Signed-off-by: Roland Dreier <[EMAIL PROTECTED]>
---
Glenn, if this looks good to you, just ack it and I will merge it upstream.
diff --git a/drivers/infiniband/hw/nes/nes_verbs.c
b/drivers/infiniband/hw/nes/nes_verbs.c
index ffd4b42..4dafbe1 100644
--- a/drivers/infiniband/hw/nes/nes_verbs.c
+++ b/drivers/infiniband/hw/nes/nes_verbs.c
@@ -1337,7 +1337,7 @@ static struct ib_qp *nes_create_qp(struct ib_pd *ibpd,
NES_MAX_USER_WQ_REGIONS, nes_ucontext->first_free_wq);
/* nes_debug(NES_DBG_QP,
"find_first_zero_biton wqs returned %u\n",
nespd->mmap_db_index);
*/
- if (nesqp->mmap_sq_db_index >
NES_MAX_USER_WQ_REGIONS) {
+ if (nesqp->mmap_sq_db_index >=
NES_MAX_USER_WQ_REGIONS) {
nes_debug(NES_DBG_QP,
"db index > max user
regions, failing create QP\n");
nes_free_resource(nesadapter,
nesadapter->allocated_qps, qp_num);
_______________________________________________
general mailing list
[email protected]
http://lists.openfabrics.org/cgi-bin/mailman/listinfo/general
To unsubscribe, please visit http://openib.org/mailman/listinfo/openib-general
