[ofa-general] [PATCH] IB: Possible write outside array bounds
Sean Hefty
sean.hefty at intel.com
Wed Jul 29 12:36:50 PDT 2009
>@@ -132,6 +136,9 @@ enum smi_action smi_handle_dr_smp_recv(struct ib_smp *smp,
>u8 node_type,
> hop_ptr = smp->hop_ptr;
> hop_cnt = smp->hop_cnt;
>
>+ if (hop_cnt >= IB_SMP_MAX_PATH_HOPS)
>+ return IB_SMI_DISCARD;
>+
> /* See section 14.2.2.2, Vol 1 IB spec */
> if (!ib_get_smp_direction(smp)) {
> /* C14-9:1 -- sender should have incremented hop_ptr */
>@@ -140,7 +147,8 @@ enum smi_action smi_handle_dr_smp_recv(struct ib_smp *smp,
>u8 node_type,
>
> /* C14-9:2 -- intermediate hop */
> if (hop_ptr && hop_ptr < hop_cnt) {
>- if (node_type != RDMA_NODE_IB_SWITCH)
>+ if (node_type != RDMA_NODE_IB_SWITCH ||
>+ hop_ptr + 1 >= IB_SMP_MAX_PATH_HOPS)
I believe at this point:
hop_ptr < hop_cnt < IB_SMP_MAX_PATH_HOPS
so, this test will always fail.
- Sean
More information about the general
mailing list