From: Prasad J Pandit <p...@fedoraproject.org>
When creating CQ/QP rings, an object can have up to
PVRDMA_MAX_FAST_REG_PAGES 8 pages. Check 'npages' parameter
to avoid excessive memory allocation or a null dereference.
Reported-by: Li Qiang <liq...@163.com>
Signed-off-by: Prasad J Pandit <p...@fedoraproject.org>
Reviewed-by: Yuval Shaia <yuval.sh...@oracle.com>
Signed-off-by: Marcel Apfelbaum <marcel.apfelb...@gmail.com>
---
hw/rdma/vmw/pvrdma_cmd.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
index 3b94545761..f236ac4795 100644
--- a/hw/rdma/vmw/pvrdma_cmd.c
+++ b/hw/rdma/vmw/pvrdma_cmd.c
@@ -259,6 +259,11 @@ static int create_cq_ring(PCIDevice *pci_dev , PvrdmaRing
**ring,
int rc = -EINVAL;
char ring_name[MAX_RING_NAME_SZ];
+ if (!nchunks || nchunks > PVRDMA_MAX_FAST_REG_PAGES) {
+ pr_dbg("invalid nchunks: %d\n", nchunks);
+ return rc;
+ }
+
pr_dbg("pdir_dma=0x%llx\n", (long long unsigned int)pdir_dma);
dir = rdma_pci_dma_map(pci_dev, pdir_dma, TARGET_PAGE_SIZE);
if (!dir) {
@@ -372,6 +377,12 @@ static int create_qp_rings(PCIDevice *pci_dev, uint64_t
pdir_dma,
char ring_name[MAX_RING_NAME_SZ];
uint32_t wqe_sz;
+ if (!spages || spages > PVRDMA_MAX_FAST_REG_PAGES
+ || !rpages || rpages > PVRDMA_MAX_FAST_REG_PAGES) {
+ pr_dbg("invalid pages: %d, %d\n", spages, rpages);
+ return rc;
+ }
+
pr_dbg("pdir_dma=0x%llx\n", (long long unsigned int)pdir_dma);
dir = rdma_pci_dma_map(pci_dev, pdir_dma, TARGET_PAGE_SIZE);
if (!dir) {
--
2.17.1
