Commit dfbee859 authored by Haggai Abramovsky's avatar Haggai Abramovsky Committed by Doug Ledford

IB/mlx5: Fix data validation in mlx5_ib_alloc_ucontext

The wrong buffer size was passed to ib_is_udata_cleared.
Signed-off-by: default avatarHaggai Abramovsky <hagaya@mellanox.com>
Reviewed-by: default avatarMatan Barak <matanb@mellanox.com>
Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
parent 2deeb477
...@@ -845,6 +845,9 @@ static struct ib_ucontext *mlx5_ib_alloc_ucontext(struct ib_device *ibdev, ...@@ -845,6 +845,9 @@ static struct ib_ucontext *mlx5_ib_alloc_ucontext(struct ib_device *ibdev,
if (!dev->ib_active) if (!dev->ib_active)
return ERR_PTR(-EAGAIN); return ERR_PTR(-EAGAIN);
if (udata->inlen < sizeof(struct ib_uverbs_cmd_hdr))
return ERR_PTR(-EINVAL);
reqlen = udata->inlen - sizeof(struct ib_uverbs_cmd_hdr); reqlen = udata->inlen - sizeof(struct ib_uverbs_cmd_hdr);
if (reqlen == sizeof(struct mlx5_ib_alloc_ucontext_req)) if (reqlen == sizeof(struct mlx5_ib_alloc_ucontext_req))
ver = 0; ver = 0;
...@@ -871,7 +874,7 @@ static struct ib_ucontext *mlx5_ib_alloc_ucontext(struct ib_device *ibdev, ...@@ -871,7 +874,7 @@ static struct ib_ucontext *mlx5_ib_alloc_ucontext(struct ib_device *ibdev,
if (reqlen > sizeof(req) && if (reqlen > sizeof(req) &&
!ib_is_udata_cleared(udata, sizeof(req), !ib_is_udata_cleared(udata, sizeof(req),
udata->inlen - sizeof(req))) reqlen - sizeof(req)))
return ERR_PTR(-EOPNOTSUPP); return ERR_PTR(-EOPNOTSUPP);
req.total_num_uuars = ALIGN(req.total_num_uuars, req.total_num_uuars = ALIGN(req.total_num_uuars,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment