This patch makes ib_copy_from_udata() check the input length before reading from userspace buffer to prevent out of bound access.
Signed-off-by: Yann Droneaud <[email protected]> Link: http://mid.gmane.org/[email protected] --- include/rdma/ib_verbs.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/include/rdma/ib_verbs.h b/include/rdma/ib_verbs.h index 21dbc42..e5551ac 100644 --- a/include/rdma/ib_verbs.h +++ b/include/rdma/ib_verbs.h @@ -1355,6 +1355,9 @@ void ib_set_client_data(struct ib_device *device, struct ib_client *client, static inline int ib_copy_from_udata(void *dest, const struct ib_udata *udata, size_t len) { + if (udata->inlen < len) { + return -EINVAL; + } return copy_from_user(dest, udata->inbuf, len) ? -EFAULT : 0; } -- 1.8.3.1 -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
