[ofa-general] [PATCH] IB: Possible write outside array bounds
Hal Rosenstock
hal.rosenstock at gmail.com
Wed Jul 29 12:22:28 PDT 2009
On Wed, Jul 29, 2009 at 3:15 PM, Roland Dreier <rdreier at cisco.com> wrote:
>
> > Based on the spec limiting hop pointer to 255 and not 63, I think the
> > above should just be a check on hop count and not hop pointer:
> > if (hop_cnt >= IB_SMP_MAX_PATH_HOPS)
>
> Yes, it seems that the current code then properly checks hop_ptr against
> hop_cnt in all cases. Do we all agree that the following patch is
> right? If so I'll queue it for 2.6.32:
>
> drivers/infiniband/core/smi.c | 4 ++++
> 1 files changed, 4 insertions(+), 0 deletions(-)
>
> diff --git a/drivers/infiniband/core/smi.c b/drivers/infiniband/core/smi.c
> index 8723675..a10152d 100644
> --- a/drivers/infiniband/core/smi.c
> +++ b/drivers/infiniband/core/smi.c
> @@ -52,6 +52,10 @@ enum smi_action smi_handle_dr_smp_send(struct ib_smp
> *smp,
> hop_cnt = smp->hop_cnt;
>
> /* See section 14.2.2.2, Vol 1 IB spec */
> + /* C14-6 -- valid hop_cnt values are from 0 to 63 */
> + if (hop_cnt >= IB_SMP_MAX_PATH_HOPS)
> + return IB_SMI_DISCARD;
> +
> if (!ib_get_smp_direction(smp)) {
> /* C14-9:1 */
> if (hop_cnt && hop_ptr == 0) {
>
That looks right to me on the send side. Shouldn't there be the same check
on the recv side (smi_handle_dr_smp_recv) which was the intent of Roel's
original patch ?
-- Hal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openfabrics.org/pipermail/general/attachments/20090729/c338dd81/attachment.html>
More information about the general
mailing list