| Message ID | d27716a3a1c180f832d153a7402f65ea8a75b734.1376847403.git.ydroneaud@opteya.com (mailing list archive) |
|---|---|
| State | Rejected |
| Headers | show |
diff --git a/include/rdma/ib_verbs.h b/include/rdma/ib_verbs.h index e5551ac..c59a365 100644 --- a/include/rdma/ib_verbs.h +++ b/include/rdma/ib_verbs.h @@ -1363,6 +1363,9 @@ static inline int ib_copy_from_udata(void *dest, const struct ib_udata *udata, s static inline int ib_copy_to_udata(struct ib_udata *udata, const void *src, size_t len) { + if (udata->outlen < len) { + return -ENOSPC; + } return copy_to_user(udata->outbuf, src, len) ? -EFAULT : 0; }
This patch makes ib_copy_to_udata() check the output length before writing to userspace buffer to prevent out of bound access. Signed-off-by: Yann Droneaud <ydroneaud@opteya.com> Link: http://mid.gmane.org/cover.1376847403.git.ydroneaud@opteya.com --- include/rdma/ib_verbs.h | 3 +++ 1 file changed, 3 insertions(+)