aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/infiniband/core
diff options
context:
space:
mode:
authorRoland Dreier <rolandd@cisco.com>2005-11-18 17:18:26 -0500
committerRoland Dreier <rolandd@cisco.com>2005-11-18 17:18:26 -0500
commiteabc77935d8d2a761c88b9cbb6313bd54b6ddbb3 (patch)
treecde3d8c648c09264669ca207df597d9e96c849bb /drivers/infiniband/core
parent48fd0d1fdd357caa2de8cb4ce6af810df7535f43 (diff)
IB/umad: make sure write()s have sufficient data
Make sure that userspace passes in enough data when sending a MAD. We always copy at least sizeof (struct ib_user_mad) + IB_MGMT_RMPP_HDR bytes from userspace, so anything less is definitely invalid. Also, if the length is less than this limit, it's possible for the second copy_from_user() to get a negative length and trigger a BUG(). Signed-off-by: Roland Dreier <rolandd@cisco.com>
Diffstat (limited to 'drivers/infiniband/core')
-rw-r--r--drivers/infiniband/core/user_mad.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c
index 5ea741f47fc8..e73f81c22381 100644
--- a/drivers/infiniband/core/user_mad.c
+++ b/drivers/infiniband/core/user_mad.c
@@ -312,7 +312,7 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf,
312 int ret, length, hdr_len, copy_offset; 312 int ret, length, hdr_len, copy_offset;
313 int rmpp_active = 0; 313 int rmpp_active = 0;
314 314
315 if (count < sizeof (struct ib_user_mad)) 315 if (count < sizeof (struct ib_user_mad) + IB_MGMT_RMPP_HDR)
316 return -EINVAL; 316 return -EINVAL;
317 317
318 length = count - sizeof (struct ib_user_mad); 318 length = count - sizeof (struct ib_user_mad);