Fields in flow_attr structure are unsigned, so it's not necessary to check for negative values.
Signed-off-by: Yann Droneaud <[email protected]> Link: http://marc.info/[email protected] Link: http://mid.gmane.org/[email protected] --- drivers/infiniband/core/uverbs_cmd.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c index 29c89a3..0ea5529 100644 --- a/drivers/infiniband/core/uverbs_cmd.c +++ b/drivers/infiniband/core/uverbs_cmd.c @@ -2669,17 +2669,18 @@ ssize_t ib_uverbs_create_flow(struct ib_uverbs_file *file, !capable(CAP_NET_ADMIN)) || !capable(CAP_NET_RAW)) return -EPERM; - if (cmd.flow_attr.num_of_specs < 0 || - cmd.flow_attr.num_of_specs > IB_FLOW_SPEC_SUPPORT_LAYERS) + if (cmd.flow_attr.num_of_specs > IB_FLOW_SPEC_SUPPORT_LAYERS) return -EINVAL; - uverbs_spec_size = cmd.flow_attr.size; + if (cmd.flow_attr.size > (in_len - sizeof(cmd))) + return -EINVAL; - if (cmd.flow_attr.size < 0 || cmd.flow_attr.size > (in_len - sizeof(cmd)) || - uverbs_spec_size < 0 || uverbs_spec_size > + if (cmd.flow_attr.size > (cmd.flow_attr.num_of_specs * sizeof(struct ib_uverbs_flow_spec))) return -EINVAL; + uverbs_spec_size = cmd.flow_attr.size; + if (cmd.flow_attr.num_of_specs) { uverbs_flow_spec = kmalloc(uverbs_spec_size, GFP_KERNEL); if (!uverbs_flow_spec) -- 1.8.3.1 -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
