1
linux/drivers/infiniband/hw
Roland Dreier 51af33e8e4 RDMA/nes: Fix possible array overrun
In nes_create_qp(), the test

	if (nesqp->mmap_sq_db_index > NES_MAX_USER_WQ_REGIONS) {

is used to error out if the db_index is too large; however, if the
test doesn't trigger, then the index is used as

	nes_ucontext->mmap_nesqp[nesqp->mmap_sq_db_index] = nesqp;

and mmap_nesqp is declared as

	struct nes_qp      *mmap_nesqp[NES_MAX_USER_WQ_REGIONS];

which leads to an array overrun if the index is exactly equal to
NES_MAX_USER_WQ_REGIONS.  Fix this by bailing out if the index is
greater than or equal to NES_MAX_USER_WQ_REGIONS.

This was spotted by the Coverity checker (CID 2162).

Acked-by: Glenn Streiff <gstreiff@neteffect.com>
Signed-off-by: Roland Dreier <rolandd@cisco.com>
2008-02-18 10:33:59 -08:00
..
amso1100 [NET]: Nuke SET_MODULE_OWNER macro. 2007-10-10 16:51:13 -07:00
cxgb3 RDMA/cxgb3: Fail loopback connections 2008-02-13 07:47:42 -08:00
ehca IB/ehca: Add PMA support 2008-02-04 20:20:42 -08:00
ipath IB/ipath: Remove unnecessary cast 2008-01-25 14:17:46 -08:00
mlx4 IB/mlx4: mlx4_ib_fmr_alloc() should call mlx4_fmr_enable() 2008-02-14 10:39:36 -08:00
mthca IB/mthca: Convert to use be16_add_cpu() 2008-02-13 07:47:47 -08:00
nes RDMA/nes: Fix possible array overrun 2008-02-18 10:33:59 -08:00