What version of user_mad.c is this against? It doesn't apply to the
latest subversion, since you have the chunk
if (copy_from_user(((struct ib_rmpp_mad *)
packet->msg->mad)->data,
buf + sizeof (struct ib_user_mad) +
rmpp_hdr_size,
- length)) {
+ length + class_hdr_len)) {
but the current code looks like
if (copy_from_user(((struct ib_rmpp_mad *)
packet->msg->mad)->data,
buf + sizeof (struct ib_user_mad) +
rmpp_hdr_size,
length - rmpp_hdr_size)) {
I don't see how the current code could be wrong: at the beginning of
the function, we do:
length = count - sizeof (struct ib_user_mad);
so length is the size of the buffer passed in by userspace, less the
size of our user_mad header. Then in the copy_from_user() call, we're
copying from an offset of sizeof (struct ib_user_mad) + rmpp_hdr_size
after the beginning of the buffer, so we should copy at most the size
of the buffer less that offset, which is exactly length - rmpp_hdr_size.
If I'm wrong, can you regenerate your patch against the current code
and provide a better changelog entry that describes what you're fixing?
- R.
_______________________________________________
openib-general mailing list
[email protected]
http://openib.org/mailman/listinfo/openib-general
To unsubscribe, please visit http://openib.org/mailman/listinfo/openib-general
