diff options
| author | Hefty, Sean <sean.hefty@intel.com> | 2011-10-06 12:33:04 -0400 |
|---|---|---|
| committer | Roland Dreier <roland@purestorage.com> | 2011-10-06 12:33:04 -0400 |
| commit | f45ee80eb0dda1fbf32bf63189627a9e1e157a95 (patch) | |
| tree | 248b7dc6be8edf4d1ce212140c942ca654143245 | |
| parent | 10889a36437ffe92c9b81041525ac9661a8f2c92 (diff) | |
RDMA/cma: Check for NULL conn_param in rdma_accept
Check that conn_param is not null before dereferencing it when
processing rdma_accept(). This is necessary to prevent a possible
system crash, which can be caused by user space.
Problem found by code inspection.
Signed-off-by: Sean Hefty <sean.hefty@intel.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>
| -rw-r--r-- | drivers/infiniband/core/cma.c | 38 |
1 files changed, 23 insertions, 15 deletions
diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c index ca4c5dcd7133..79b16028e898 100644 --- a/drivers/infiniband/core/cma.c +++ b/drivers/infiniband/core/cma.c | |||
| @@ -2616,14 +2616,16 @@ static int cma_connect_iw(struct rdma_id_private *id_priv, | |||
| 2616 | if (ret) | 2616 | if (ret) |
| 2617 | goto out; | 2617 | goto out; |
| 2618 | 2618 | ||
| 2619 | iw_param.ord = conn_param->initiator_depth; | 2619 | if (conn_param) { |
| 2620 | iw_param.ird = conn_param->responder_resources; | 2620 | iw_param.ord = conn_param->initiator_depth; |
| 2621 | iw_param.private_data = conn_param->private_data; | 2621 | iw_param.ird = conn_param->responder_resources; |
| 2622 | iw_param.private_data_len = conn_param->private_data_len; | 2622 | iw_param.private_data = conn_param->private_data; |
| 2623 | if (id_priv->id.qp) | 2623 | iw_param.private_data_len = conn_param->private_data_len; |
| 2624 | iw_param.qpn = id_priv->id.qp ? id_priv->qp_num : conn_param->qp_num; | ||
| 2625 | } else { | ||
| 2626 | memset(&iw_param, 0, sizeof iw_param); | ||
| 2624 | iw_param.qpn = id_priv->qp_num; | 2627 | iw_param.qpn = id_priv->qp_num; |
| 2625 | else | 2628 | } |
| 2626 | iw_param.qpn = conn_param->qp_num; | ||
| 2627 | ret = iw_cm_connect(cm_id, &iw_param); | 2629 | ret = iw_cm_connect(cm_id, &iw_param); |
| 2628 | out: | 2630 | out: |
| 2629 | if (ret) { | 2631 | if (ret) { |
| @@ -2765,14 +2767,20 @@ int rdma_accept(struct rdma_cm_id *id, struct rdma_conn_param *conn_param) | |||
| 2765 | 2767 | ||
| 2766 | switch (rdma_node_get_transport(id->device->node_type)) { | 2768 | switch (rdma_node_get_transport(id->device->node_type)) { |
| 2767 | case RDMA_TRANSPORT_IB: | 2769 | case RDMA_TRANSPORT_IB: |
| 2768 | if (id->qp_type == IB_QPT_UD) | 2770 | if (id->qp_type == IB_QPT_UD) { |
| 2769 | ret = cma_send_sidr_rep(id_priv, IB_SIDR_SUCCESS, | 2771 | if (conn_param) |
| 2770 | conn_param->private_data, | 2772 | ret = cma_send_sidr_rep(id_priv, IB_SIDR_SUCCESS, |
| 2771 | conn_param->private_data_len); | 2773 | conn_param->private_data, |
| 2772 | else if (conn_param) | 2774 | conn_param->private_data_len); |
| 2773 | ret = cma_accept_ib(id_priv, conn_param); | 2775 | else |
| 2774 | else | 2776 | ret = cma_send_sidr_rep(id_priv, IB_SIDR_SUCCESS, |
| 2775 | ret = cma_rep_recv(id_priv); | 2777 | NULL, 0); |
| 2778 | } else { | ||
| 2779 | if (conn_param) | ||
| 2780 | ret = cma_accept_ib(id_priv, conn_param); | ||
| 2781 | else | ||
| 2782 | ret = cma_rep_recv(id_priv); | ||
| 2783 | } | ||
| 2776 | break; | 2784 | break; |
| 2777 | case RDMA_TRANSPORT_IWARP: | 2785 | case RDMA_TRANSPORT_IWARP: |
| 2778 | ret = cma_accept_iw(id_priv, conn_param); | 2786 | ret = cma_accept_iw(id_priv, conn_param); |