Commit:     51af33e8e45b845d8ee85446f58e31bc4c118048
Parent:     edd2fd643c500c812cae5b0d314ab9db9f959898
Author:     Roland Dreier <[EMAIL PROTECTED]>
AuthorDate: Mon Feb 18 10:33:59 2008 -0800
Committer:  Roland Dreier <[EMAIL PROTECTED]>
CommitDate: Mon Feb 18 10:33:59 2008 -0800

    RDMA/nes: Fix possible array overrun
    In nes_create_qp(), the test
        if (nesqp->mmap_sq_db_index > NES_MAX_USER_WQ_REGIONS) {
    is used to error out if the db_index is too large; however, if the
    test doesn't trigger, then the index is used as
        nes_ucontext->mmap_nesqp[nesqp->mmap_sq_db_index] = nesqp;
    and mmap_nesqp is declared as
        struct nes_qp      *mmap_nesqp[NES_MAX_USER_WQ_REGIONS];
    which leads to an array overrun if the index is exactly equal to
    NES_MAX_USER_WQ_REGIONS.  Fix this by bailing out if the index is
    greater than or equal to NES_MAX_USER_WQ_REGIONS.
    This was spotted by the Coverity checker (CID 2162).
    Acked-by: Glenn Streiff <[EMAIL PROTECTED]>
    Signed-off-by: Roland Dreier <[EMAIL PROTECTED]>
 drivers/infiniband/hw/nes/nes_verbs.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/drivers/infiniband/hw/nes/nes_verbs.c 
index ffd4b42..4dafbe1 100644
--- a/drivers/infiniband/hw/nes/nes_verbs.c
+++ b/drivers/infiniband/hw/nes/nes_verbs.c
@@ -1337,7 +1337,7 @@ static struct ib_qp *nes_create_qp(struct ib_pd *ibpd,
NES_MAX_USER_WQ_REGIONS, nes_ucontext->first_free_wq);
                                        /* nes_debug(NES_DBG_QP, 
"find_first_zero_biton wqs returned %u\n",
-                                       if (nesqp->mmap_sq_db_index > 
+                                       if (nesqp->mmap_sq_db_index >= 
                                                          "db index > max user 
regions, failing create QP\n");
nesadapter->allocated_qps, qp_num);
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at

Reply via email to