[ofw] [MLX4] Prevent stack corruption
Leonid Keller
leonid at mellanox.co.il
Mon Sep 27 12:32:34 PDT 2010
Applied in 2948, thank you.
> -----Original Message-----
> From: ofw-bounces at lists.openfabrics.org [mailto:ofw-
> bounces at lists.openfabrics.org] On Behalf Of Fab Tillier
> Sent: Wednesday, September 22, 2010 11:56 PM
> To: ofw at lists.openfabrics.org
> Subject: [ofw] [MLX4] Prevent stack corruption
>
> This is likely un unexercised path, but looks like a bug none the less:
>
> In the case where umv_buf::command is FALSE, the else control segment
> is taken and a stack variable's address is stored by INIT_UDATA, to be
> written later in the call to alloc_pd. The stack variable then goes
> out of scope, so the call to alloc_pd could corrupt the stack.
>
> The fix uses the status local variable as temporary storage, as it is
> unused until after the call to alloc_pd.
>
> Signed-off-by: Fab Tillier <ftillier at microsoft.com>
>
> Index: kernel/hca/pd.c
> ===================================================================
> --- kernel/hca/pd.c (revision 2947)
> +++ kernel/hca/pd.c (working copy)
> @@ -80,9 +80,9 @@ mlnx_allocate_pd (
> 0, sizeof(p_resp->pdn));
> }
> else {
> - u32 pdn;
> - INIT_UDATA(&udata, NULL, &pdn,
> - 0, sizeof(pdn));
> + // Discard PDN output, so use status as temp
> storage.
> + INIT_UDATA(&udata, NULL, &status,
> + 0, sizeof(status));
> }
> }
> else {
>
> _______________________________________________
> ofw mailing list
> ofw at lists.openfabrics.org
> http://lists.openfabrics.org/cgi-bin/mailman/listinfo/ofw
More information about the ofw
mailing list