Author: slavash
Date: Wed Dec  5 13:40:05 2018
New Revision: 341553
URL: https://svnweb.freebsd.org/changeset/base/341553

Log:
  mlx5: Fix integer overflow while resizing CQ
  
  The user can provide very large cqe_size which will cause to integer
  overflow.
  
  Linux commit:
  28e9091e3119933c38933cb8fc48d5618eb784c8
  
  Approved by:    hselasky (mentor)
  MFC after:      1 week
  Sponsored by:   Mellanox Technologies

Modified:
  head/sys/dev/mlx5/mlx5_ib/mlx5_ib_cq.c

Modified: head/sys/dev/mlx5/mlx5_ib/mlx5_ib_cq.c
==============================================================================
--- head/sys/dev/mlx5/mlx5_ib/mlx5_ib_cq.c      Wed Dec  5 13:39:35 2018        
(r341552)
+++ head/sys/dev/mlx5/mlx5_ib/mlx5_ib_cq.c      Wed Dec  5 13:40:05 2018        
(r341553)
@@ -1124,7 +1124,12 @@ static int resize_user(struct mlx5_ib_dev *dev, struct
        if (ucmd.reserved0 || ucmd.reserved1)
                return -EINVAL;
 
-       umem = ib_umem_get(context, ucmd.buf_addr, entries * ucmd.cqe_size,
+       /* check multiplication overflow */
+       if (ucmd.cqe_size && SIZE_MAX / ucmd.cqe_size <= entries - 1)
+               return -EINVAL;
+
+       umem = ib_umem_get(context, ucmd.buf_addr,
+                          (size_t)ucmd.cqe_size * entries,
                           IB_ACCESS_LOCAL_WRITE, 1);
        if (IS_ERR(umem)) {
                err = PTR_ERR(umem);
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Reply via email to