This patch makes ib_copy_to_udata() check the output length before writing to userspace buffer to prevent out of bound access.
Signed-off-by: Yann Droneaud <[email protected]> Link: http://mid.gmane.org/[email protected] --- include/rdma/ib_verbs.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/include/rdma/ib_verbs.h b/include/rdma/ib_verbs.h index e5551ac..c59a365 100644 --- a/include/rdma/ib_verbs.h +++ b/include/rdma/ib_verbs.h @@ -1363,6 +1363,9 @@ static inline int ib_copy_from_udata(void *dest, const struct ib_udata *udata, s static inline int ib_copy_to_udata(struct ib_udata *udata, const void *src, size_t len) { + if (udata->outlen < len) { + return -ENOSPC; + } return copy_to_user(udata->outbuf, src, len) ? -EFAULT : 0; } -- 1.8.3.1 -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
