[openib-general] [PATCH] user_mad: Fix length of user buffer copied when sending RMPP
Roland Dreier
rolandd at cisco.com
Mon Sep 19 09:33:15 PDT 2005
What version of user_mad.c is this against? It doesn't apply to the
latest subversion, since you have the chunk
if (copy_from_user(((struct ib_rmpp_mad *) packet->msg->mad)->data,
buf + sizeof (struct ib_user_mad) + rmpp_hdr_size,
- length)) {
+ length + class_hdr_len)) {
but the current code looks like
if (copy_from_user(((struct ib_rmpp_mad *) packet->msg->mad)->data,
buf + sizeof (struct ib_user_mad) + rmpp_hdr_size,
length - rmpp_hdr_size)) {
I don't see how the current code could be wrong: at the beginning of
the function, we do:
length = count - sizeof (struct ib_user_mad);
so length is the size of the buffer passed in by userspace, less the
size of our user_mad header. Then in the copy_from_user() call, we're
copying from an offset of sizeof (struct ib_user_mad) + rmpp_hdr_size
after the beginning of the buffer, so we should copy at most the size
of the buffer less that offset, which is exactly length - rmpp_hdr_size.
If I'm wrong, can you regenerate your patch against the current code
and provide a better changelog entry that describes what you're fixing?
- R.
More information about the general
mailing list