IB/mlx5: Fix data validation in mlx5_ib_alloc_ucontext

author Haggai Abramovsky <hagaya@mellanox.com>

Thu, 14 Jan 2016 17:12:56 +0000 (19:12 +0200)

committer Doug Ledford <dledford@redhat.com>

Thu, 21 Jan 2016 17:01:08 +0000 (12:01 -0500)
author Haggai Abramovsky <hagaya@mellanox.com>
Thu, 14 Jan 2016 17:12:56 +0000 (19:12 +0200)
committer Doug Ledford <dledford@redhat.com>
Thu, 21 Jan 2016 17:01:08 +0000 (12:01 -0500)
diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c

index f509dcb856655d5f68dd6a83fe394d53df4baf3a..f82336699c3e47bec1e7369af1bc89c8c261df2e 100644 (file)
--- a/drivers/infiniband/hw/mlx5/main.c
+++ b/drivers/infiniband/hw/mlx5/main.c
@@ -845,6 +845,9 @@ static struct ib_ucontext *mlx5_ib_alloc_ucontext(struct ib_device *ibdev,
         if (!dev->ib_active)
                 return ERR_PTR(-EAGAIN);
  
+       if (udata->inlen < sizeof(struct ib_uverbs_cmd_hdr))
+               return ERR_PTR(-EINVAL);
+
         reqlen = udata->inlen - sizeof(struct ib_uverbs_cmd_hdr);
         if (reqlen == sizeof(struct mlx5_ib_alloc_ucontext_req))
                 ver = 0;
@@ -871,7 +874,7 @@ static struct ib_ucontext *mlx5_ib_alloc_ucontext(struct ib_device *ibdev,
  
         if (reqlen > sizeof(req) &&
             !ib_is_udata_cleared(udata, sizeof(req),
-                                udata->inlen - sizeof(req)))
+                                reqlen - sizeof(req)))
                 return ERR_PTR(-EOPNOTSUPP);
  
         req.total_num_uuars = ALIGN(req.total_num_uuars,
author	Haggai Abramovsky <hagaya@mellanox.com>
	Thu, 14 Jan 2016 17:12:56 +0000 (19:12 +0200)
committer	Doug Ledford <dledford@redhat.com>
	Thu, 21 Jan 2016 17:01:08 +0000 (12:01 -0500)