| Message ID | 2bf102a41c51f61965ee09df827abe8fefb523a9.1376847403.git.ydroneaud@opteya.com (mailing list archive) |
|---|---|
| State | Rejected |
| Headers | show |
diff --git a/include/rdma/ib_verbs.h b/include/rdma/ib_verbs.h index 21dbc42..e5551ac 100644 --- a/include/rdma/ib_verbs.h +++ b/include/rdma/ib_verbs.h @@ -1355,6 +1355,9 @@ void ib_set_client_data(struct ib_device *device, struct ib_client *client, static inline int ib_copy_from_udata(void *dest, const struct ib_udata *udata, size_t len) { + if (udata->inlen < len) { + return -EINVAL; + } return copy_from_user(dest, udata->inbuf, len) ? -EFAULT : 0; }
This patch makes ib_copy_from_udata() check the input length before reading from userspace buffer to prevent out of bound access. Signed-off-by: Yann Droneaud <ydroneaud@opteya.com> Link: http://mid.gmane.org/cover.1376847403.git.ydroneaud@opteya.com --- include/rdma/ib_verbs.h | 3 +++ 1 file changed, 3 insertions(+)