Author: slavash Date: Wed Dec 5 13:40:05 2018 New Revision: 341553 URL: https://svnweb.freebsd.org/changeset/base/341553
Log: mlx5: Fix integer overflow while resizing CQ The user can provide very large cqe_size which will cause to integer overflow. Linux commit: 28e9091e3119933c38933cb8fc48d5618eb784c8 Approved by: hselasky (mentor) MFC after: 1 week Sponsored by: Mellanox Technologies Modified: head/sys/dev/mlx5/mlx5_ib/mlx5_ib_cq.c Modified: head/sys/dev/mlx5/mlx5_ib/mlx5_ib_cq.c ============================================================================== --- head/sys/dev/mlx5/mlx5_ib/mlx5_ib_cq.c Wed Dec 5 13:39:35 2018 (r341552) +++ head/sys/dev/mlx5/mlx5_ib/mlx5_ib_cq.c Wed Dec 5 13:40:05 2018 (r341553) @@ -1124,7 +1124,12 @@ static int resize_user(struct mlx5_ib_dev *dev, struct if (ucmd.reserved0 || ucmd.reserved1) return -EINVAL; - umem = ib_umem_get(context, ucmd.buf_addr, entries * ucmd.cqe_size, + /* check multiplication overflow */ + if (ucmd.cqe_size && SIZE_MAX / ucmd.cqe_size <= entries - 1) + return -EINVAL; + + umem = ib_umem_get(context, ucmd.buf_addr, + (size_t)ucmd.cqe_size * entries, IB_ACCESS_LOCAL_WRITE, 1); if (IS_ERR(umem)) { err = PTR_ERR(umem); _______________________________________________ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"