[ofw] [MLX4] Prevent stack corruption
Fab Tillier
ftillier at microsoft.com
Wed Sep 22 14:56:05 PDT 2010
This is likely un unexercised path, but looks like a bug none the less:
In the case where umv_buf::command is FALSE, the else control segment is taken and a stack variable's address is stored by INIT_UDATA, to be written later in the call to alloc_pd. The stack variable then goes out of scope, so the call to alloc_pd could corrupt the stack.
The fix uses the status local variable as temporary storage, as it is unused until after the call to alloc_pd.
Signed-off-by: Fab Tillier <ftillier at microsoft.com>
Index: kernel/hca/pd.c
===================================================================
--- kernel/hca/pd.c (revision 2947)
+++ kernel/hca/pd.c (working copy)
@@ -80,9 +80,9 @@ mlnx_allocate_pd (
0, sizeof(p_resp->pdn));
}
else {
- u32 pdn;
- INIT_UDATA(&udata, NULL, &pdn,
- 0, sizeof(pdn));
+ // Discard PDN output, so use status as temp storage.
+ INIT_UDATA(&udata, NULL, &status,
+ 0, sizeof(status));
}
}
else {
More information about the ofw
mailing list