Gitweb:     
http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=51af33e8e45b845d8ee85446f58e31bc4c118048
Commit:     51af33e8e45b845d8ee85446f58e31bc4c118048
Parent:     edd2fd643c500c812cae5b0d314ab9db9f959898
Author:     Roland Dreier <[EMAIL PROTECTED]>
AuthorDate: Mon Feb 18 10:33:59 2008 -0800
Committer:  Roland Dreier <[EMAIL PROTECTED]>
CommitDate: Mon Feb 18 10:33:59 2008 -0800

    RDMA/nes: Fix possible array overrun
    
    In nes_create_qp(), the test
    
        if (nesqp->mmap_sq_db_index > NES_MAX_USER_WQ_REGIONS) {
    
    is used to error out if the db_index is too large; however, if the
    test doesn't trigger, then the index is used as
    
        nes_ucontext->mmap_nesqp[nesqp->mmap_sq_db_index] = nesqp;
    
    and mmap_nesqp is declared as
    
        struct nes_qp      *mmap_nesqp[NES_MAX_USER_WQ_REGIONS];
    
    which leads to an array overrun if the index is exactly equal to
    NES_MAX_USER_WQ_REGIONS.  Fix this by bailing out if the index is
    greater than or equal to NES_MAX_USER_WQ_REGIONS.
    
    This was spotted by the Coverity checker (CID 2162).
    
    Acked-by: Glenn Streiff <[EMAIL PROTECTED]>
    Signed-off-by: Roland Dreier <[EMAIL PROTECTED]>
---
 drivers/infiniband/hw/nes/nes_verbs.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/drivers/infiniband/hw/nes/nes_verbs.c 
b/drivers/infiniband/hw/nes/nes_verbs.c
index ffd4b42..4dafbe1 100644
--- a/drivers/infiniband/hw/nes/nes_verbs.c
+++ b/drivers/infiniband/hw/nes/nes_verbs.c
@@ -1337,7 +1337,7 @@ static struct ib_qp *nes_create_qp(struct ib_pd *ibpd,
                                                                   
NES_MAX_USER_WQ_REGIONS, nes_ucontext->first_free_wq);
                                        /* nes_debug(NES_DBG_QP, 
"find_first_zero_biton wqs returned %u\n",
                                                        nespd->mmap_db_index); 
*/
-                                       if (nesqp->mmap_sq_db_index > 
NES_MAX_USER_WQ_REGIONS) {
+                                       if (nesqp->mmap_sq_db_index >= 
NES_MAX_USER_WQ_REGIONS) {
                                                nes_debug(NES_DBG_QP,
                                                          "db index > max user 
regions, failing create QP\n");
                                                nes_free_resource(nesadapter, 
nesadapter->allocated_qps, qp_num);
-
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to