Commit b7dd5edc authored by Eyal Itkin's avatar Eyal Itkin Committed by Greg Kroah-Hartman

IB/rxe: Fix mem_check_range integer overflow

commit 647bf3d8 upstream.

Update the range check to avoid integer-overflow in edge case.
Resolves CVE 2016-8636.
Signed-off-by: default avatarEyal Itkin <eyal.itkin@gmail.com>
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: default avatarLeon Romanovsky <leonro@mellanox.com>
Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 5476efee
......@@ -59,9 +59,11 @@ int mem_check_range(struct rxe_mem *mem, u64 iova, size_t length)
case RXE_MEM_TYPE_MR:
case RXE_MEM_TYPE_FMR:
return ((iova < mem->iova) ||
((iova + length) > (mem->iova + mem->length))) ?
-EFAULT : 0;
if (iova < mem->iova ||
length > mem->length ||
iova > mem->iova + mem->length - length)
return -EFAULT;
return 0;
default:
return -EFAULT;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment