[openib-general] [PATCH] user_mad: Fix length of user buffer copied when sending RMPP
Hal Rosenstock
halr at voltaire.com
Mon Sep 19 04:38:51 PDT 2005
user_mad: Fix length of user buffer copied when sending RMPP
Signed-off-by: Hal Rosenstock <halr at voltaire.com>
Index: user_mad.c
===================================================================
--- user_mad.c (revision 3472)
+++ user_mad.c (working copy)
@@ -273,6 +273,7 @@ static ssize_t ib_umad_write(struct file
u8 method;
__be64 *tid;
int ret, length, hdr_len, data_len, rmpp_hdr_size;
+ int class_hdr_len = 0;
int rmpp_active = 0;
if (count < sizeof (struct ib_user_mad))
@@ -338,10 +339,12 @@ static ssize_t ib_umad_write(struct file
if (rmpp_mad->mad_hdr.mgmt_class == IB_MGMT_CLASS_SUBN_ADM) {
hdr_len = offsetof(struct ib_sa_mad, data);
data_len = length;
+ class_hdr_len = sizeof(struct ib_sa_hdr);
} else if ((rmpp_mad->mad_hdr.mgmt_class >= IB_MGMT_CLASS_VENDOR_RANGE2_START) &&
(rmpp_mad->mad_hdr.mgmt_class <= IB_MGMT_CLASS_VENDOR_RANGE2_END)) {
hdr_len = offsetof(struct ib_vendor_mad, data);
data_len = length - hdr_len;
+ class_hdr_len = 4;
} else {
ret = -EINVAL;
goto err_ah;
@@ -390,7 +393,7 @@ static ssize_t ib_umad_write(struct file
/* Now, copy rest of message from user into send buffer */
if (copy_from_user(((struct ib_rmpp_mad *) packet->msg->mad)->data,
buf + sizeof (struct ib_user_mad) + rmpp_hdr_size,
- length)) {
+ length + class_hdr_len)) {
ret = -EFAULT;
goto err_msg;
}
More information about the general
mailing list