diff options
| author | Ralph Campbell <ralph.campbell@qlogic.com> | 2007-06-18 17:24:44 -0400 |
|---|---|---|
| committer | Roland Dreier <rolandd@cisco.com> | 2007-07-09 23:12:26 -0400 |
| commit | 30d149ab58cc3ed8e4bc9c4dc45bebbed0e84b6e (patch) | |
| tree | f85f47458efb9e98f01b490a539dbf873bbaddd9 /drivers/infiniband/hw/ipath/ipath_ud.c | |
| parent | db5518cd09c21f0fa70af0a4ca38badd90622c9e (diff) | |
IB/ipath: Fix possible data corruption if multiple SGEs used for receive
The code to copy data from the receive queue buffers to the IB SGEs
doesn't check the SGE length, only the memory region/page length when
copying data. This could overwrite parts of the user's memory that
were not intended to be written. It can only happen if multiple SGEs
are used to describe a receive buffer which almost never happens in
practice.
Signed-off-by: Ralph Campbell <ralph.campbell@qlogic.com>
Signed-off-by: Roland Dreier <rolandd@cisco.com>
Diffstat (limited to 'drivers/infiniband/hw/ipath/ipath_ud.c')
| -rw-r--r-- | drivers/infiniband/hw/ipath/ipath_ud.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/infiniband/hw/ipath/ipath_ud.c b/drivers/infiniband/hw/ipath/ipath_ud.c index a518f7c8fa8..0b5a6ac1bb8 100644 --- a/drivers/infiniband/hw/ipath/ipath_ud.c +++ b/drivers/infiniband/hw/ipath/ipath_ud.c | |||
| @@ -231,6 +231,8 @@ static void ipath_ud_loopback(struct ipath_qp *sqp, | |||
| 231 | 231 | ||
| 232 | if (len > length) | 232 | if (len > length) |
| 233 | len = length; | 233 | len = length; |
| 234 | if (len > sge->sge_length) | ||
| 235 | len = sge->sge_length; | ||
| 234 | BUG_ON(len == 0); | 236 | BUG_ON(len == 0); |
| 235 | ipath_copy_sge(&rsge, sge->vaddr, len); | 237 | ipath_copy_sge(&rsge, sge->vaddr, len); |
| 236 | sge->vaddr += len; | 238 | sge->vaddr += len; |