[openib-general] [PATCH] user_mad: Fix length of user buffer copied when sending RMPP

Roland Dreier rolandd at cisco.com
Mon Sep 19 09:33:15 PDT 2005


What version of user_mad.c is this against?  It doesn't apply to the
latest subversion, since you have the chunk

 		if (copy_from_user(((struct ib_rmpp_mad *) packet->msg->mad)->data,
 				   buf + sizeof (struct ib_user_mad) + rmpp_hdr_size,
-				   length)) {
+				   length + class_hdr_len)) {

but the current code looks like

		if (copy_from_user(((struct ib_rmpp_mad *) packet->msg->mad)->data,
				   buf + sizeof (struct ib_user_mad) + rmpp_hdr_size,
				   length - rmpp_hdr_size)) {

I don't see how the current code could be wrong: at the beginning of
the function, we do:

	length = count - sizeof (struct ib_user_mad);

so length is the size of the buffer passed in by userspace, less the
size of our user_mad header.  Then in the copy_from_user() call, we're
copying from an offset of sizeof (struct ib_user_mad) + rmpp_hdr_size
after the beginning of the buffer, so we should copy at most the size
of the buffer less that offset, which is exactly length - rmpp_hdr_size.

If I'm wrong, can you regenerate your patch against the current code
and provide a better changelog entry that describes what you're fixing?

 - R.



More information about the general mailing list