Gitweb:     
http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=c9a6ce500d78932c43361eae28c3de81b3660c77
Commit:     c9a6ce500d78932c43361eae28c3de81b3660c77
Parent:     e22bb45d772b5e5c850a6223c2a3245f520de641
Author:     Divy Le Ray <[EMAIL PROTECTED]>
AuthorDate: Tue Aug 21 20:49:26 2007 -0700
Committer:  David S. Miller <[EMAIL PROTECTED]>
CommitDate: Wed Oct 10 16:50:49 2007 -0700

    cxgb3 - tighten checks on TID values
    
    Enforce validity checks on connection ids
    
    Signed-off-by: Divy Le Ray <[EMAIL PROTECTED]>
    Signed-off-by: Jeff Garzik <[EMAIL PROTECTED]>
---
 drivers/net/cxgb3/cxgb3_defs.h    |   20 ++++++++++++++++++--
 drivers/net/cxgb3/cxgb3_offload.c |   28 +++++++++++++++++++++++-----
 2 files changed, 41 insertions(+), 7 deletions(-)

diff --git a/drivers/net/cxgb3/cxgb3_defs.h b/drivers/net/cxgb3/cxgb3_defs.h
index 483a594..45e9216 100644
--- a/drivers/net/cxgb3/cxgb3_defs.h
+++ b/drivers/net/cxgb3/cxgb3_defs.h
@@ -79,9 +79,17 @@ static inline struct t3c_tid_entry *lookup_tid(const struct 
tid_info *t,
 static inline struct t3c_tid_entry *lookup_stid(const struct tid_info *t,
                                                unsigned int tid)
 {
+       union listen_entry *e;
+
        if (tid < t->stid_base || tid >= t->stid_base + t->nstids)
                return NULL;
-       return &(stid2entry(t, tid)->t3c_tid);
+
+       e = stid2entry(t, tid);
+       if ((void *)e->next >= (void *)t->tid_tab &&
+           (void *)e->next < (void *)&t->atid_tab[t->natids])
+               return NULL;
+
+       return &e->t3c_tid;
 }
 
 /*
@@ -90,9 +98,17 @@ static inline struct t3c_tid_entry *lookup_stid(const struct 
tid_info *t,
 static inline struct t3c_tid_entry *lookup_atid(const struct tid_info *t,
                                                unsigned int tid)
 {
+       union active_open_entry *e;
+
        if (tid < t->atid_base || tid >= t->atid_base + t->natids)
                return NULL;
-       return &(atid2entry(t, tid)->t3c_tid);
+
+       e = atid2entry(t, tid);
+       if ((void *)e->next >= (void *)t->tid_tab &&
+           (void *)e->next < (void *)&t->atid_tab[t->natids])
+               return NULL;
+
+       return &e->t3c_tid;
 }
 
 int process_rx(struct t3cdev *dev, struct sk_buff **skbs, int n);
diff --git a/drivers/net/cxgb3/cxgb3_offload.c 
b/drivers/net/cxgb3/cxgb3_offload.c
index bac9214..1c8eec3 100644
--- a/drivers/net/cxgb3/cxgb3_offload.c
+++ b/drivers/net/cxgb3/cxgb3_offload.c
@@ -57,7 +57,7 @@ static DEFINE_RWLOCK(adapter_list_lock);
 static LIST_HEAD(adapter_list);
 
 static const unsigned int MAX_ATIDS = 64 * 1024;
-static const unsigned int ATID_BASE = 0x100000;
+static const unsigned int ATID_BASE = 0x10000;
 
 static inline int offload_activated(struct t3cdev *tdev)
 {
@@ -694,10 +694,19 @@ static int do_cr(struct t3cdev *dev, struct sk_buff *skb)
 {
        struct cpl_pass_accept_req *req = cplhdr(skb);
        unsigned int stid = G_PASS_OPEN_TID(ntohl(req->tos_tid));
+       struct tid_info *t = &(T3C_DATA(dev))->tid_maps;
        struct t3c_tid_entry *t3c_tid;
+       unsigned int tid = GET_TID(req);
 
-       t3c_tid = lookup_stid(&(T3C_DATA(dev))->tid_maps, stid);
-       if (t3c_tid->ctx && t3c_tid->client->handlers &&
+       if (unlikely(tid >= t->ntids)) {
+               printk("%s: passive open TID %u too large\n",
+                      dev->name, tid);
+               t3_fatal_err(tdev2adap(dev));
+               return CPL_RET_BUF_DONE;
+       }
+
+       t3c_tid = lookup_stid(t, stid);
+       if (t3c_tid && t3c_tid->ctx && t3c_tid->client->handlers &&
            t3c_tid->client->handlers[CPL_PASS_ACCEPT_REQ]) {
                return t3c_tid->client->handlers[CPL_PASS_ACCEPT_REQ]
                    (dev, skb, t3c_tid->ctx);
@@ -779,16 +788,25 @@ static int do_act_establish(struct t3cdev *dev, struct 
sk_buff *skb)
 {
        struct cpl_act_establish *req = cplhdr(skb);
        unsigned int atid = G_PASS_OPEN_TID(ntohl(req->tos_tid));
+       struct tid_info *t = &(T3C_DATA(dev))->tid_maps;
        struct t3c_tid_entry *t3c_tid;
+       unsigned int tid = GET_TID(req);
 
-       t3c_tid = lookup_atid(&(T3C_DATA(dev))->tid_maps, atid);
+       if (unlikely(tid >= t->ntids)) {
+               printk("%s: active establish TID %u too large\n",
+                      dev->name, tid);
+               t3_fatal_err(tdev2adap(dev));
+               return CPL_RET_BUF_DONE;
+       }
+
+       t3c_tid = lookup_atid(t, atid);
        if (t3c_tid && t3c_tid->ctx && t3c_tid->client->handlers &&
            t3c_tid->client->handlers[CPL_ACT_ESTABLISH]) {
                return t3c_tid->client->handlers[CPL_ACT_ESTABLISH]
                    (dev, skb, t3c_tid->ctx);
        } else {
                printk(KERN_ERR "%s: received clientless CPL command 0x%x\n",
-                      dev->name, CPL_PASS_ACCEPT_REQ);
+                      dev->name, CPL_ACT_ESTABLISH);
                return CPL_RET_BUF_DONE | CPL_RET_BAD_MSG;
        }
 }
-
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to