[ofa-general] [PATCH] IB: Possible write outside array bounds
Roland Dreier
rdreier at cisco.com
Wed Jul 29 12:38:29 PDT 2009
> + if (hop_cnt >= IB_SMP_MAX_PATH_HOPS)
> + return IB_SMI_DISCARD;
> /* C14-9:2 -- intermediate hop */
> if (hop_ptr && hop_ptr < hop_cnt) {
> - if (node_type != RDMA_NODE_IB_SWITCH)
> + if (node_type != RDMA_NODE_IB_SWITCH ||
> + hop_ptr + 1 >= IB_SMP_MAX_PATH_HOPS)
hmm, is the second test necessary? That's the case where hop_ptr is
less than hop_cnt but hop_ptr + 1 is more than
IB_SMP_MAX_PATH_HOPS... let's see... the biggest value of hop_ptr that
could get into that code is hop_cnt-1 (due to the test just above), and
the first test we're adding ensures hop_cnt is at most IB_SMP_MAX_PATH_HOPS-1.
So the biggest value of hop_ptr that passes the existing tests plus the
first test is IB_SMP_MAX_PATH_HOPS-1-1 ie IB_SMP_MAX_PATH_HOPS-2 which
means the second test you're adding is redundant, no?
- R.
More information about the general
mailing list