From 01e517f16e38fc2345d4d555a7764b5f3f35af84 Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Tue, 7 Jun 2016 15:04:16 +0300 Subject: [PATCH] qed: potential overflow in qed_cxt_src_t2_alloc() In the current code "ent_per_page" could be more than "conn_num" making "conn_num" negative after the subtraction. In the next iteration through the loop then the negative is treated as a very high positive meaning we don't put a limit on "ent_num". It could lead to memory corruption. Fixes: dbb799c39717 ('qed: Initialize hardware for new protocols') Signed-off-by: Dan Carpenter Acked-by: Yuval Mintz Signed-off-by: David S. Miller --- drivers/net/ethernet/qlogic/qed/qed_cxt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/ethernet/qlogic/qed/qed_cxt.c b/drivers/net/ethernet/qlogic/qed/qed_cxt.c index d85b7ba8cb9a..1c35f376143e 100644 --- a/drivers/net/ethernet/qlogic/qed/qed_cxt.c +++ b/drivers/net/ethernet/qlogic/qed/qed_cxt.c @@ -850,7 +850,7 @@ static int qed_cxt_src_t2_alloc(struct qed_hwfn *p_hwfn) val = 0; entries[j].next = cpu_to_be64(val); - conn_num -= ent_per_page; + conn_num -= ent_num; } return 0; -- 2.20.1