diff options
| author | Roland Dreier <rolandd@cisco.com> | 2005-11-18 17:18:26 -0500 |
|---|---|---|
| committer | Roland Dreier <rolandd@cisco.com> | 2005-11-18 17:18:26 -0500 |
| commit | eabc77935d8d2a761c88b9cbb6313bd54b6ddbb3 (patch) | |
| tree | cde3d8c648c09264669ca207df597d9e96c849bb | |
| parent | 48fd0d1fdd357caa2de8cb4ce6af810df7535f43 (diff) | |
IB/umad: make sure write()s have sufficient data
Make sure that userspace passes in enough data when sending a MAD. We
always copy at least sizeof (struct ib_user_mad) + IB_MGMT_RMPP_HDR
bytes from userspace, so anything less is definitely invalid. Also,
if the length is less than this limit, it's possible for the second
copy_from_user() to get a negative length and trigger a BUG().
Signed-off-by: Roland Dreier <rolandd@cisco.com>
| -rw-r--r-- | drivers/infiniband/core/user_mad.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c index 5ea741f47fc8..e73f81c22381 100644 --- a/drivers/infiniband/core/user_mad.c +++ b/drivers/infiniband/core/user_mad.c | |||
| @@ -312,7 +312,7 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf, | |||
| 312 | int ret, length, hdr_len, copy_offset; | 312 | int ret, length, hdr_len, copy_offset; |
| 313 | int rmpp_active = 0; | 313 | int rmpp_active = 0; |
| 314 | 314 | ||
| 315 | if (count < sizeof (struct ib_user_mad)) | 315 | if (count < sizeof (struct ib_user_mad) + IB_MGMT_RMPP_HDR) |
| 316 | return -EINVAL; | 316 | return -EINVAL; |
| 317 | 317 | ||
| 318 | length = count - sizeof (struct ib_user_mad); | 318 | length = count - sizeof (struct ib_user_mad); |