Applied in 2948, thank you.
> -----Original Message----- > From: [email protected] [mailto:ofw- > [email protected]] On Behalf Of Fab Tillier > Sent: Wednesday, September 22, 2010 11:56 PM > To: [email protected] > Subject: [ofw] [MLX4] Prevent stack corruption > > This is likely un unexercised path, but looks like a bug none the less: > > In the case where umv_buf::command is FALSE, the else control segment > is taken and a stack variable's address is stored by INIT_UDATA, to be > written later in the call to alloc_pd. The stack variable then goes > out of scope, so the call to alloc_pd could corrupt the stack. > > The fix uses the status local variable as temporary storage, as it is > unused until after the call to alloc_pd. > > Signed-off-by: Fab Tillier <[email protected]> > > Index: kernel/hca/pd.c > =================================================================== > --- kernel/hca/pd.c (revision 2947) > +++ kernel/hca/pd.c (working copy) > @@ -80,9 +80,9 @@ mlnx_allocate_pd ( > 0, sizeof(p_resp->pdn)); > } > else { > - u32 pdn; > - INIT_UDATA(&udata, NULL, &pdn, > - 0, sizeof(pdn)); > + // Discard PDN output, so use status as temp > storage. > + INIT_UDATA(&udata, NULL, &status, > + 0, sizeof(status)); > } > } > else { > > _______________________________________________ > ofw mailing list > [email protected] > http://lists.openfabrics.org/cgi-bin/mailman/listinfo/ofw _______________________________________________ ofw mailing list [email protected] http://lists.openfabrics.org/cgi-bin/mailman/listinfo/ofw
