Passing huge size values to create_cq/resize_cq causes hang in align_cq_size. Fix this by validating input, similiar to what we do for create_qp.
Signed-off-by: Dotan Barak <[EMAIL PROTECTED]> Signed-off-by: Michael S. Tsirkin <[EMAIL PROTECTED]> Index: last_stable/src/userspace/libmthca/src/verbs.c =================================================================== --- last_stable.orig/src/userspace/libmthca/src/verbs.c 2006-07-04 15:22:20.000000000 +0300 +++ last_stable/src/userspace/libmthca/src/verbs.c 2006-07-04 15:23:49.000000000 +0300 @@ -174,6 +174,10 @@ struct ibv_cq *mthca_create_cq(struct ib struct mthca_cq *cq; int ret; + /* Sanity check CQ size before proceeding */ + if (cqe > 131072) + return NULL; + cq = malloc(sizeof *cq); if (!cq) return NULL; @@ -264,6 +268,10 @@ int mthca_resize_cq(struct ibv_cq *ibcq, int old_cqe; int ret; + /* Sanity check CQ size before proceeding */ + if (cqe > 131072) + return EINVAL; + pthread_spin_lock(&cq->lock); cqe = align_cq_size(cqe); _______________________________________________ openib-general mailing list [email protected] http://openib.org/mailman/listinfo/openib-general To unsubscribe, please visit http://openib.org/mailman/listinfo/openib-general
