IB/uverbs: Check input length in flow steering uverbs

Since ib_copy_from_udata() doesn't check yet the available input data
length before accessing userspace memory, an explicit check of this
length is required to prevent:

- reading past the user provided buffer,
- underflow when subtracting the expected command size from the input
  length.

This will ensure the newly added flow steering uverbs don't try to
process truncated commands.

Link: http://marc.info/?i=cover.1386798254.git.ydroneaud@opteya.com>
Signed-off-by: Yann Droneaud <ydroneaud@opteya.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>

1 files changed, 6 insertions, 0 deletions

diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index 45fb80b876b0..f1cc83855af6 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2649,6 +2649,9 @@ int ib_uverbs_ex_create_flow(struct ib_uverbs_file *file,
         void *ib_spec;
         int i;
 
+        if (ucore->inlen < sizeof(cmd))
+                return -EINVAL;
+
         if (ucore->outlen < sizeof(resp))
                 return -ENOSPC;
 
@@ -2799,6 +2802,9 @@ int ib_uverbs_ex_destroy_flow(struct ib_uverbs_file *file,
         struct ib_uobject               *uobj;
         int                             ret;
 
+        if (ucore->inlen < sizeof(cmd))
+                return -EINVAL;
+
         ret = ib_copy_from_udata(&cmd, ucore, sizeof(cmd));
         if (ret)
                 return ret;