diff options
author | Jack Morgenstein <jackm@dev.mellanox.co.il> | 2007-11-20 16:01:28 -0500 |
---|---|---|
committer | Roland Dreier <rolandd@cisco.com> | 2007-11-20 16:01:28 -0500 |
commit | 9ed87fd34c97a998e63505718ce7e107a23c84c3 (patch) | |
tree | 137e38d8fed9a1b43f34f0ed009ff6ea048ac884 /drivers/net/mlx4 | |
parent | 4187b915a0f7eaa69707715e80d9fc253ff6167a (diff) |
mlx4_core: Fix state check in mlx4_qp_modify()
When checking the states passed in, mlx4_qp_modify() accidentally checks
cur_state twice rather than checking cur_state and new_state. Fix this
to make sure that both values are in-bounds.
Since these values may be passed in from userspace, this bug results in
userspace being able to trigger an oops.
Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
Cc: stable <stable@kernel.org>
Signed-off-by: Roland Dreier <rolandd@cisco.com>
Diffstat (limited to 'drivers/net/mlx4')
-rw-r--r-- | drivers/net/mlx4/qp.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/net/mlx4/qp.c b/drivers/net/mlx4/qp.c index 42b47639c81c..fa24e6597591 100644 --- a/drivers/net/mlx4/qp.c +++ b/drivers/net/mlx4/qp.c | |||
@@ -113,7 +113,7 @@ int mlx4_qp_modify(struct mlx4_dev *dev, struct mlx4_mtt *mtt, | |||
113 | struct mlx4_cmd_mailbox *mailbox; | 113 | struct mlx4_cmd_mailbox *mailbox; |
114 | int ret = 0; | 114 | int ret = 0; |
115 | 115 | ||
116 | if (cur_state >= MLX4_QP_NUM_STATE || cur_state >= MLX4_QP_NUM_STATE || | 116 | if (cur_state >= MLX4_QP_NUM_STATE || new_state >= MLX4_QP_NUM_STATE || |
117 | !op[cur_state][new_state]) | 117 | !op[cur_state][new_state]) |
118 | return -EINVAL; | 118 | return -EINVAL; |
119 | 119 | ||