diff options
author | Hefty, Sean <sean.hefty@intel.com> | 2011-10-06 12:33:04 -0400 |
---|---|---|
committer | Roland Dreier <roland@purestorage.com> | 2011-10-06 12:33:04 -0400 |
commit | f45ee80eb0dda1fbf32bf63189627a9e1e157a95 (patch) | |
tree | 248b7dc6be8edf4d1ce212140c942ca654143245 /drivers/infiniband/core/cma.c | |
parent | 10889a36437ffe92c9b81041525ac9661a8f2c92 (diff) |
RDMA/cma: Check for NULL conn_param in rdma_accept
Check that conn_param is not null before dereferencing it when
processing rdma_accept(). This is necessary to prevent a possible
system crash, which can be caused by user space.
Problem found by code inspection.
Signed-off-by: Sean Hefty <sean.hefty@intel.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>
Diffstat (limited to 'drivers/infiniband/core/cma.c')
-rw-r--r-- | drivers/infiniband/core/cma.c | 38 |
1 files changed, 23 insertions, 15 deletions
diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c index ca4c5dcd713..79b16028e89 100644 --- a/drivers/infiniband/core/cma.c +++ b/drivers/infiniband/core/cma.c | |||
@@ -2616,14 +2616,16 @@ static int cma_connect_iw(struct rdma_id_private *id_priv, | |||
2616 | if (ret) | 2616 | if (ret) |
2617 | goto out; | 2617 | goto out; |
2618 | 2618 | ||
2619 | iw_param.ord = conn_param->initiator_depth; | 2619 | if (conn_param) { |
2620 | iw_param.ird = conn_param->responder_resources; | 2620 | iw_param.ord = conn_param->initiator_depth; |
2621 | iw_param.private_data = conn_param->private_data; | 2621 | iw_param.ird = conn_param->responder_resources; |
2622 | iw_param.private_data_len = conn_param->private_data_len; | 2622 | iw_param.private_data = conn_param->private_data; |
2623 | if (id_priv->id.qp) | 2623 | iw_param.private_data_len = conn_param->private_data_len; |
2624 | iw_param.qpn = id_priv->id.qp ? id_priv->qp_num : conn_param->qp_num; | ||
2625 | } else { | ||
2626 | memset(&iw_param, 0, sizeof iw_param); | ||
2624 | iw_param.qpn = id_priv->qp_num; | 2627 | iw_param.qpn = id_priv->qp_num; |
2625 | else | 2628 | } |
2626 | iw_param.qpn = conn_param->qp_num; | ||
2627 | ret = iw_cm_connect(cm_id, &iw_param); | 2629 | ret = iw_cm_connect(cm_id, &iw_param); |
2628 | out: | 2630 | out: |
2629 | if (ret) { | 2631 | if (ret) { |
@@ -2765,14 +2767,20 @@ int rdma_accept(struct rdma_cm_id *id, struct rdma_conn_param *conn_param) | |||
2765 | 2767 | ||
2766 | switch (rdma_node_get_transport(id->device->node_type)) { | 2768 | switch (rdma_node_get_transport(id->device->node_type)) { |
2767 | case RDMA_TRANSPORT_IB: | 2769 | case RDMA_TRANSPORT_IB: |
2768 | if (id->qp_type == IB_QPT_UD) | 2770 | if (id->qp_type == IB_QPT_UD) { |
2769 | ret = cma_send_sidr_rep(id_priv, IB_SIDR_SUCCESS, | 2771 | if (conn_param) |
2770 | conn_param->private_data, | 2772 | ret = cma_send_sidr_rep(id_priv, IB_SIDR_SUCCESS, |
2771 | conn_param->private_data_len); | 2773 | conn_param->private_data, |
2772 | else if (conn_param) | 2774 | conn_param->private_data_len); |
2773 | ret = cma_accept_ib(id_priv, conn_param); | 2775 | else |
2774 | else | 2776 | ret = cma_send_sidr_rep(id_priv, IB_SIDR_SUCCESS, |
2775 | ret = cma_rep_recv(id_priv); | 2777 | NULL, 0); |
2778 | } else { | ||
2779 | if (conn_param) | ||
2780 | ret = cma_accept_ib(id_priv, conn_param); | ||
2781 | else | ||
2782 | ret = cma_rep_recv(id_priv); | ||
2783 | } | ||
2776 | break; | 2784 | break; |
2777 | case RDMA_TRANSPORT_IWARP: | 2785 | case RDMA_TRANSPORT_IWARP: |
2778 | ret = cma_accept_iw(id_priv, conn_param); | 2786 | ret = cma_accept_iw(id_priv, conn_param); |