* [PATCH] IB/mlx4: Potential buffer overflow in _mlx4_set_path()
@ 2017-12-05 14:39 ` Dan Carpenter
0 siblings, 0 replies; 6+ messages in thread
From: Dan Carpenter @ 2017-12-05 14:39 UTC (permalink / raw)
To: Yishai Hadas
Cc: Doug Ledford, Jason Gunthorpe, linux-rdma-u79uwXL29TY76Z2rM5mHXA,
kernel-janitors-u79uwXL29TY76Z2rM5mHXA
Smatch complains about this code:
drivers/infiniband/hw/mlx4/qp.c:1827 _mlx4_set_path()
error: buffer overflow 'dev->dev->caps.gid_table_len' 3 <= 255
The mlx4_ib_gid_index_to_real_index() does check that "port" is within
bounds, but we don't check the return value for errors. It seems simple
enough to add a check for that.
Signed-off-by: Dan Carpenter <dan.carpenter-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>
---
Static analysis. Not tested.
diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c
index 013049bcdb53..817257f105aa 100644
--- a/drivers/infiniband/hw/mlx4/qp.c
+++ b/drivers/infiniband/hw/mlx4/qp.c
@@ -1824,6 +1824,8 @@ static int _mlx4_set_path(struct mlx4_ib_dev *dev,
mlx4_ib_gid_index_to_real_index(dev, port,
grh->sgid_index);
+ if (real_sgid_index < 0)
+ return real_sgid_index;
if (real_sgid_index >= dev->dev->caps.gid_table_len[port]) {
pr_err("sgid_index (%u) too large. max is %d\n",
real_sgid_index, dev->dev->caps.gid_table_len[port] - 1);
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH] IB/mlx4: Potential buffer overflow in _mlx4_set_path()
@ 2017-12-05 14:39 ` Dan Carpenter
0 siblings, 0 replies; 6+ messages in thread
From: Dan Carpenter @ 2017-12-05 14:39 UTC (permalink / raw)
To: Yishai Hadas
Cc: Doug Ledford, Jason Gunthorpe, linux-rdma-u79uwXL29TY76Z2rM5mHXA,
kernel-janitors-u79uwXL29TY76Z2rM5mHXA
Smatch complains about this code:
drivers/infiniband/hw/mlx4/qp.c:1827 _mlx4_set_path()
error: buffer overflow 'dev->dev->caps.gid_table_len' 3 <= 255
The mlx4_ib_gid_index_to_real_index() does check that "port" is within
bounds, but we don't check the return value for errors. It seems simple
enough to add a check for that.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
Static analysis. Not tested.
diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c
index 013049bcdb53..817257f105aa 100644
--- a/drivers/infiniband/hw/mlx4/qp.c
+++ b/drivers/infiniband/hw/mlx4/qp.c
@@ -1824,6 +1824,8 @@ static int _mlx4_set_path(struct mlx4_ib_dev *dev,
mlx4_ib_gid_index_to_real_index(dev, port,
grh->sgid_index);
+ if (real_sgid_index < 0)
+ return real_sgid_index;
if (real_sgid_index >= dev->dev->caps.gid_table_len[port]) {
pr_err("sgid_index (%u) too large. max is %d\n",
real_sgid_index, dev->dev->caps.gid_table_len[port] - 1);
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] IB/mlx4: Potential buffer overflow in _mlx4_set_path()
2017-12-05 14:39 ` Dan Carpenter
@ 2017-12-05 15:53 ` Leon Romanovsky
-1 siblings, 0 replies; 6+ messages in thread
From: Leon Romanovsky @ 2017-12-05 15:53 UTC (permalink / raw)
To: Dan Carpenter
Cc: Yishai Hadas, Doug Ledford, Jason Gunthorpe,
linux-rdma-u79uwXL29TY76Z2rM5mHXA,
kernel-janitors-u79uwXL29TY76Z2rM5mHXA
[-- Attachment #1: Type: text/plain, Size: 596 bytes --]
On Tue, Dec 05, 2017 at 05:39:23PM +0300, Dan Carpenter wrote:
> Smatch complains about this code:
>
> drivers/infiniband/hw/mlx4/qp.c:1827 _mlx4_set_path()
> error: buffer overflow 'dev->dev->caps.gid_table_len' 3 <= 255
>
> The mlx4_ib_gid_index_to_real_index() does check that "port" is within
> bounds, but we don't check the return value for errors. It seems simple
> enough to add a check for that.
>
> Signed-off-by: Dan Carpenter <dan.carpenter-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>
> ---
Thanks,
Reviewed-by: Leon Romanovsky <leonro-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] IB/mlx4: Potential buffer overflow in _mlx4_set_path()
@ 2017-12-05 15:53 ` Leon Romanovsky
0 siblings, 0 replies; 6+ messages in thread
From: Leon Romanovsky @ 2017-12-05 15:53 UTC (permalink / raw)
To: Dan Carpenter
Cc: Yishai Hadas, Doug Ledford, Jason Gunthorpe,
linux-rdma-u79uwXL29TY76Z2rM5mHXA,
kernel-janitors-u79uwXL29TY76Z2rM5mHXA
[-- Attachment #1: Type: text/plain, Size: 540 bytes --]
On Tue, Dec 05, 2017 at 05:39:23PM +0300, Dan Carpenter wrote:
> Smatch complains about this code:
>
> drivers/infiniband/hw/mlx4/qp.c:1827 _mlx4_set_path()
> error: buffer overflow 'dev->dev->caps.gid_table_len' 3 <= 255
>
> The mlx4_ib_gid_index_to_real_index() does check that "port" is within
> bounds, but we don't check the return value for errors. It seems simple
> enough to add a check for that.
>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
Thanks,
Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: IB/mlx4: Potential buffer overflow in _mlx4_set_path()
2017-12-05 14:39 ` Dan Carpenter
@ 2017-12-13 18:20 ` Jason Gunthorpe
-1 siblings, 0 replies; 6+ messages in thread
From: Jason Gunthorpe @ 2017-12-13 18:20 UTC (permalink / raw)
To: Dan Carpenter; +Cc: Yishai Hadas, Doug Ledford, linux-rdma, kernel-janitors
On Tue, Dec 05, 2017 at 05:39:23PM +0300, Dan Carpenter wrote:
> Smatch complains about this code:
>
> drivers/infiniband/hw/mlx4/qp.c:1827 _mlx4_set_path()
> error: buffer overflow 'dev->dev->caps.gid_table_len' 3 <= 255
>
> The mlx4_ib_gid_index_to_real_index() does check that "port" is within
> bounds, but we don't check the return value for errors. It seems simple
> enough to add a check for that.
>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
Thanks, applied to -next
Jason
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: IB/mlx4: Potential buffer overflow in _mlx4_set_path()
@ 2017-12-13 18:20 ` Jason Gunthorpe
0 siblings, 0 replies; 6+ messages in thread
From: Jason Gunthorpe @ 2017-12-13 18:20 UTC (permalink / raw)
To: Dan Carpenter; +Cc: Yishai Hadas, Doug Ledford, linux-rdma, kernel-janitors
On Tue, Dec 05, 2017 at 05:39:23PM +0300, Dan Carpenter wrote:
> Smatch complains about this code:
>
> drivers/infiniband/hw/mlx4/qp.c:1827 _mlx4_set_path()
> error: buffer overflow 'dev->dev->caps.gid_table_len' 3 <= 255
>
> The mlx4_ib_gid_index_to_real_index() does check that "port" is within
> bounds, but we don't check the return value for errors. It seems simple
> enough to add a check for that.
>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
Thanks, applied to -next
Jason
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2017-12-13 18:20 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-12-05 14:39 [PATCH] IB/mlx4: Potential buffer overflow in _mlx4_set_path() Dan Carpenter
2017-12-05 14:39 ` Dan Carpenter
2017-12-05 15:53 ` Leon Romanovsky
2017-12-05 15:53 ` Leon Romanovsky
2017-12-13 18:20 ` Jason Gunthorpe
2017-12-13 18:20 ` Jason Gunthorpe
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.