IB/mad: Check hop count field in directed route MAD to avoid array overflow

The hop count field in a directed route MAD is only allowed to be in the
range 0 to 63 (by spec).  Check that this really is the case to avoid
accessing outside the bounds of the hop array.

Reported-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: Roland Dreier <rolandd@cisco.com>

1 files changed, 8 insertions, 0 deletions

diff --git a/drivers/infiniband/core/smi.c b/drivers/infiniband/core/smi.c
index 87236753bce9..5855e4405d9b 100644
--- a/drivers/infiniband/core/smi.c
+++ b/drivers/infiniband/core/smi.c
@@ -52,6 +52,10 @@ enum smi_action smi_handle_dr_smp_send(struct ib_smp *smp,
         hop_cnt = smp->hop_cnt;
 
         /* See section 14.2.2.2, Vol 1 IB spec */
+        /* C14-6 -- valid hop_cnt values are from 0 to 63 */
+        if (hop_cnt >= IB_SMP_MAX_PATH_HOPS)
+                return IB_SMI_DISCARD;
+
         if (!ib_get_smp_direction(smp)) {
                 /* C14-9:1 */
                 if (hop_cnt && hop_ptr == 0) {
@@ -133,6 +137,10 @@ enum smi_action smi_handle_dr_smp_recv(struct ib_smp *smp, u8 node_type,
         hop_cnt = smp->hop_cnt;
 
         /* See section 14.2.2.2, Vol 1 IB spec */
+        /* C14-6 -- valid hop_cnt values are from 0 to 63 */
+        if (hop_cnt >= IB_SMP_MAX_PATH_HOPS)
+                return IB_SMI_DISCARD;
+
         if (!ib_get_smp_direction(smp)) {
                 /* C14-9:1 -- sender should have incremented hop_ptr */
                 if (hop_cnt && hop_ptr == 0)