[ofa-general] [PATCH] IB: Possible write outside array bounds

Wed Jul 29 12:53:40 PDT 2009

 > > Isn't that increment at the end of the DR part done to handle the
 > > pre-decrement that will be done as part of c14-13?

 > It was the other direction: c14-9 case 3 increments hop ptr and returns so
 > it looks like this could be hop_ptr 65 if it were 64 coming in to this case
 > and I don't see that prevented. Hope that's clearer...

I think I understood.  c14-9:3 is in the send path, when the SMI is at
the end of the DR part.  And it is used when hop_ptr is equal to
hop_cnt; since hop_cnt can't be bigger than 63 with the new checks,
hop_ptr can't end up bigger than 64.  And I think as I said that the
returning DR handling will pre-decrement the hop_ptr as described in
c14-13, so that it will never be bigger than 63.

 - R.