| Message ID | 20171205143923.26dqc3ekhbmtmsgt@mwanda (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Jason Gunthorpe |
| Headers | show |
On Tue, Dec 05, 2017 at 05:39:23PM +0300, Dan Carpenter wrote: > Smatch complains about this code: > > drivers/infiniband/hw/mlx4/qp.c:1827 _mlx4_set_path() > error: buffer overflow 'dev->dev->caps.gid_table_len' 3 <= 255 > > The mlx4_ib_gid_index_to_real_index() does check that "port" is within > bounds, but we don't check the return value for errors. It seems simple > enough to add a check for that. > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > --- Thanks, Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
On Tue, Dec 05, 2017 at 05:39:23PM +0300, Dan Carpenter wrote: > Smatch complains about this code: > > drivers/infiniband/hw/mlx4/qp.c:1827 _mlx4_set_path() > error: buffer overflow 'dev->dev->caps.gid_table_len' 3 <= 255 > > The mlx4_ib_gid_index_to_real_index() does check that "port" is within > bounds, but we don't check the return value for errors. It seems simple > enough to add a check for that. > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > Reviewed-by: Leon Romanovsky <leonro@mellanox.com> Thanks, applied to -next Jason -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c index 013049bcdb53..817257f105aa 100644 --- a/drivers/infiniband/hw/mlx4/qp.c +++ b/drivers/infiniband/hw/mlx4/qp.c @@ -1824,6 +1824,8 @@ static int _mlx4_set_path(struct mlx4_ib_dev *dev, mlx4_ib_gid_index_to_real_index(dev, port, grh->sgid_index); + if (real_sgid_index < 0) + return real_sgid_index; if (real_sgid_index >= dev->dev->caps.gid_table_len[port]) { pr_err("sgid_index (%u) too large. max is %d\n", real_sgid_index, dev->dev->caps.gid_table_len[port] - 1);
Smatch complains about this code: drivers/infiniband/hw/mlx4/qp.c:1827 _mlx4_set_path() error: buffer overflow 'dev->dev->caps.gid_table_len' 3 <= 255 The mlx4_ib_gid_index_to_real_index() does check that "port" is within bounds, but we don't check the return value for errors. It seems simple enough to add a check for that. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- Static analysis. Not tested. -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html