[openib-general] [PATCH] user_mad.c::ib_umad_write don't go past end of user buffer

[Hal Rosenstock]

user_mad.c::ib_umad_write don't go past end of user buffer
Fix to previous fix for length of user buffer copied when sending RMPP

Signed-off-by: Hal Rosenstock <halr at voltaire.com>

Index: user_mad.c
===================================================================
--- user_mad.c	(revision 3480)
+++ user_mad.c	(working copy)
@@ -273,7 +273,6 @@ static ssize_t ib_umad_write(struct file
 	u8 method;
 	__be64 *tid;
 	int ret, length, hdr_len, data_len, rmpp_hdr_size;
-	int class_hdr_len = 0;
 	int rmpp_active = 0;
 
 	if (count < sizeof (struct ib_user_mad))
@@ -335,16 +334,15 @@ static ssize_t ib_umad_write(struct file
 			ret = -EINVAL;
 			goto err_ah;
 		}
+
 		/* Validate that the management class can support RMPP */
 		if (rmpp_mad->mad_hdr.mgmt_class == IB_MGMT_CLASS_SUBN_ADM) {
 			hdr_len = offsetof(struct ib_sa_mad, data);
-			data_len = length;
-			class_hdr_len = sizeof(struct ib_sa_hdr);
+			data_len = length - hdr_len;
 		} else if ((rmpp_mad->mad_hdr.mgmt_class >= IB_MGMT_CLASS_VENDOR_RANGE2_START) &&
 			    (rmpp_mad->mad_hdr.mgmt_class <= IB_MGMT_CLASS_VENDOR_RANGE2_END)) {
 				hdr_len = offsetof(struct ib_vendor_mad, data);
 				data_len = length - hdr_len;
-				class_hdr_len = 4;
 		} else {
 			ret = -EINVAL;
 			goto err_ah;
@@ -393,7 +391,7 @@ static ssize_t ib_umad_write(struct file
 		/* Now, copy rest of message from user into send buffer */
 		if (copy_from_user(((struct ib_rmpp_mad *) packet->msg->mad)->data,
 				   buf + sizeof (struct ib_user_mad) + rmpp_hdr_size,
-				   length + class_hdr_len)) {
+				   length - rmpp_hdr_size)) {
 			ret = -EFAULT;
 			goto err_msg;
 		}