On Wed, Aug 14, 2013 at 3:58 AM, Or Gerlitz <[email protected]> wrote: > + if (cmd.flow_attr.num_of_specs) { > + kern_flow_attr = kmalloc(cmd.flow_attr.size, GFP_KERNEL); > + if (!kern_flow_attr) > + return -ENOMEM; > + > + memcpy(kern_flow_attr, &cmd.flow_attr, > sizeof(*kern_flow_attr)); > + kern_attr_size = cmd.flow_attr.size - sizeof(cmd) - > sizeof(struct ib_uverbs_cmd_hdr_ex); > + if (copy_from_user(kern_flow_attr + 1, buf + sizeof(cmd), > + kern_attr_size)) { > + err = -EFAULT; > + goto err_free_attr; > + } > + } else {
This looks risky... it's basically taking size fields passed in from userspace and trusting them enough to pass directly to kmalloc. In fact kern_attr_size is a plain int and I don't see even enogh checking to make sure it's positive (nothing I see enforces that cmd.flow_attr.size > sizeof(cmd) + sizeof(struct ib_uverbs_cmd_hdr_ex)). - R. -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
