RDMA/nes: Fix possible array overrun

In nes_create_qp(), the test if (nesqp->mmap_sq_db_index > NES_MAX_USER_WQ_REGIONS) { is used to error out if the db_index is too large; however, if the test doesn't trigger, then the index is used as nes_ucontext->mmap_nesqp[nesqp->mmap_sq_db_index] = nesqp; and mmap_nesqp is declared as struct nes_qp *mmap_nesqp[NES_MAX_USER_WQ_REGIONS]; which leads to an array overrun if the index is exactly equal to NES_MAX_USER_WQ_REGIONS. Fix this by bailing out if the index is greater than or equal to NES_MAX_USER_WQ_REGIONS. This was spotted by the Coverity checker (CID 2162). Acked-by: Glenn Streiff <gstreiff@neteffect.com> Signed-off-by: Roland Dreier <rolandd@cisco.com>
author: Roland Dreier <rolandd@cisco.com> 2008-02-18 13:33:59 -0500
committer: Roland Dreier <rolandd@cisco.com> 2008-02-18 13:33:59 -0500
commit: 51af33e8e45b845d8ee85446f58e31bc4c118048 (patch)
tree: 5d82fbb684c0adc0a01f2277f93fab7da2ac3810
parent: edd2fd643c500c812cae5b0d314ab9db9f959898 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/infiniband/hw/nes/nes_verbs.c b/drivers/infiniband/hw/nes/nes_verbs.c
index ffd4b425567f..4dafbe16e82a 100644
--- a/drivers/infiniband/hw/nes/nes_verbs.c
+++ b/drivers/infiniband/hw/nes/nes_verbs.c
@@ -1337,7 +1337,7 @@ static struct ib_qp *nes_create_qp(struct ib_pd *ibpd,
                                                                   NES_MAX_USER_WQ_REGIONS, nes_ucontext->first_free_wq);
                                        /* nes_debug(NES_DBG_QP, "find_first_zero_biton wqs returned %u\n",
                                                        nespd->mmap_db_index); */
-                                        if (nesqp->mmap_sq_db_index > NES_MAX_USER_WQ_REGIONS) {
+                                        if (nesqp->mmap_sq_db_index >= NES_MAX_USER_WQ_REGIONS) {
                                                nes_debug(NES_DBG_QP,
                                                          "db index > max user regions, failing create QP\n");
                                                nes_free_resource(nesadapter, nesadapter->allocated_qps, qp_num);
author	Roland Dreier <rolandd@cisco.com>	2008-02-18 13:33:59 -0500
committer	Roland Dreier <rolandd@cisco.com>	2008-02-18 13:33:59 -0500
commit	51af33e8e45b845d8ee85446f58e31bc4c118048 (patch)
tree	5d82fbb684c0adc0a01f2277f93fab7da2ac3810
parent	edd2fd643c500c812cae5b0d314ab9db9f959898 (diff)

diff --git a/drivers/infiniband/hw/nes/nes_verbs.c b/drivers/infiniband/hw/nes/nes_verbs.c index ffd4b425567f..4dafbe16e82a 100644 --- a/drivers/infiniband/hw/nes/nes_verbs.c +++ b/drivers/infiniband/hw/nes/nes_verbs.c
@@ -1337,7 +1337,7 @@ static struct ib_qp nes_create_qp(struct ib_pd ibpd,
1337	NES_MAX_USER_WQ_REGIONS, nes_ucontext->first_free_wq);	1337	NES_MAX_USER_WQ_REGIONS, nes_ucontext->first_free_wq);
1338	/* nes_debug(NES_DBG_QP, "find_first_zero_biton wqs returned %u\n",	1338	/* nes_debug(NES_DBG_QP, "find_first_zero_biton wqs returned %u\n",
1339	nespd->mmap_db_index); */	1339	nespd->mmap_db_index); */
1340	if (nesqp->mmap_sq_db_index > NES_MAX_USER_WQ_REGIONS) {	1340	if (nesqp->mmap_sq_db_index >= NES_MAX_USER_WQ_REGIONS) {
1341	nes_debug(NES_DBG_QP,	1341	nes_debug(NES_DBG_QP,
1342	"db index > max user regions, failing create QP\n");	1342	"db index > max user regions, failing create QP\n");
1343	nes_free_resource(nesadapter, nesadapter->allocated_qps, qp_num);	1343	nes_free_resource(nesadapter, nesadapter->allocated_qps, qp_num);