> >> + kern_spec = kern_flow_attr + 1;
> >> + ib_spec = flow_attr + 1;
> >> + for (i = 0; i < flow_attr->num_of_specs; i++) {
> >> + err = kern_spec_to_ib_spec(kern_spec, ib_spec);
> >> + if (err)
> >> + goto err_free;
> >> + flow_attr->size +=
> >> + ((struct _ib_flow_spec *)ib_spec)->size;
> >> + kern_spec += ((struct ib_kern_spec *)kern_spec)->size;
> >> + ib_spec += ((struct _ib_flow_spec *)ib_spec)->size;
> > I didn't see where the ib_kern_spec size field was validated. Maybe add
> > this
> check to kern_spec_to_ib_spec?
> It wasn't validated. The function could be written in a more secured
> way. Meaning, we should only loop until we met flow_attr->num_of_specs
> or we exhausted all the bytes we copied from the user.
> Furthermore, as you said, it'll be more secured to add a new check in
> kern_spec_to_ib_spec that verifies that the size that the user sent
> matches the size of the kernel's struct.
It needs to be validated, otherwise the code above will walk off into random
memory.
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
