Commit eabc7793 authored by Roland Dreier's avatar Roland Dreier

IB/umad: make sure write()s have sufficient data

Make sure that userspace passes in enough data when sending a MAD.  We
always copy at least sizeof (struct ib_user_mad) + IB_MGMT_RMPP_HDR
bytes from userspace, so anything less is definitely invalid.  Also,
if the length is less than this limit, it's possible for the second
copy_from_user() to get a negative length and trigger a BUG().
Signed-off-by: default avatarRoland Dreier <rolandd@cisco.com>
parent 48fd0d1f
...@@ -312,7 +312,7 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf, ...@@ -312,7 +312,7 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf,
int ret, length, hdr_len, copy_offset; int ret, length, hdr_len, copy_offset;
int rmpp_active = 0; int rmpp_active = 0;
if (count < sizeof (struct ib_user_mad)) if (count < sizeof (struct ib_user_mad) + IB_MGMT_RMPP_HDR)
return -EINVAL; return -EINVAL;
length = count - sizeof (struct ib_user_mad); length = count - sizeof (struct ib_user_mad);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment