mlx4_core: fix buffer overrun
authorEugenia Emantayev <eugenia@mellanox.co.il>
Tue, 14 Feb 2012 06:37:16 +0000 (06:37 +0000)
committerDavid S. Miller <davem@davemloft.net>
Tue, 14 Feb 2012 19:11:57 +0000 (14:11 -0500)
When passing MLX4_UC_STEER=1 it was translated to value 2
after mlx4_QP_ATTACH_wrapper. Therefore in new_steering_entry()
unicast steer entries were added to index 2 of array of size 2.
Fixing this bug by shift right to one position.

Signed-off-by: Eugenia Emantayev <eugenia@mellanox.co.il>
Reviewed-by: Yevgeny Petrilin <yevgenyp@mellanox.co.il>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/ethernet/mellanox/mlx4/resource_tracker.c

index dcd819bfb2f05968d1d567bc36d43938c2a4fc91..1420dbc947c227115ec3b9d4ecaf5f8c9edf9ae8 100644 (file)
@@ -2538,7 +2538,7 @@ int mlx4_QP_ATTACH_wrapper(struct mlx4_dev *dev, int slave,
        int attach = vhcr->op_modifier;
        int block_loopback = vhcr->in_modifier >> 31;
        u8 steer_type_mask = 2;
-       enum mlx4_steer_type type = gid[7] & steer_type_mask;
+       enum mlx4_steer_type type = (gid[7] & steer_type_mask) >> 1;
 
        qpn = vhcr->in_modifier & 0xffffff;
        err = get_res(dev, slave, qpn, RES_QP, &rqp);