diff mbox

[14/22] ucma: ucma_query_path(): check output length

Message ID 74830c785f6cb033b5e9ac89df56e9144d4d08d3.1376847403.git.ydroneaud@opteya.com (mailing list archive)
State Rejected
Headers show

Commit Message

Yann Droneaud Aug. 18, 2013, 6:28 p.m. UTC 
Makes ucma_query_path() check the length of the output buffer:
this will prevent the function from writing past userspace provided buffer.

Signed-off-by: Yann Droneaud <ydroneaud@opteya.com>
Link: http://mid.gmane.org/cover.1376847403.git.ydroneaud@opteya.com
---
 drivers/infiniband/core/ucma.c | 3 +++
 1 file changed, 3 insertions(+)
diff mbox

Patch

diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c
index a155169..c653b1e 100644
--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -838,6 +838,9 @@  static ssize_t ucma_query_path(struct ucma_context *ctx,
 	if (out_len < sizeof(*resp))
 		return -ENOSPC;
 
+	if ((out_len - sizeof(*resp))/sizeof(struct ib_path_rec_data) < ctx->cm_id->route.num_paths)
+		return -ENOSPC;
+
 	resp = kzalloc(out_len, GFP_KERNEL);
 	if (!resp)
 		return -ENOMEM;