[ofa-general] [PATCH] IB: Possible write outside array bounds
Roel Kluin
roel.kluin at gmail.com
Fri Jul 24 04:30:53 PDT 2009
Ensure index stays within smp->return_path[] and ->initial_path[].
Signed-off-by: Roel Kluin <roel.kluin at gmail.com>
---
This was observed using Parfait (http://research.sun.com/projects/parfait/)
It appears that hop_ptr may be able to range up to 255, potentially writing
outside the buffer.
diff --git a/drivers/infiniband/core/smi.c b/drivers/infiniband/core/smi.c
index 8723675..8303b80 100644
--- a/drivers/infiniband/core/smi.c
+++ b/drivers/infiniband/core/smi.c
@@ -140,7 +140,8 @@ enum smi_action smi_handle_dr_smp_recv(struct ib_smp *smp, u8 node_type,
/* C14-9:2 -- intermediate hop */
if (hop_ptr && hop_ptr < hop_cnt) {
- if (node_type != RDMA_NODE_IB_SWITCH)
+ if (node_type != RDMA_NODE_IB_SWITCH ||
+ hop_ptr >= IB_SMP_MAX_PATH_HOPS - 1)
return IB_SMI_DISCARD;
smp->return_path[hop_ptr] = port_num;
More information about the general
mailing list