On 8/23/2016 4:16 PM, Doug Ledford wrote:
> On 8/23/2016 3:10 PM, Shiraz Saleem wrote:
>> On Tue, Aug 23, 2016 at 12:47:35PM -0400, Doug Ledford wrote:
>>> On 8/22/2016 7:16 PM, Shiraz Saleem wrote:
>>>> Add NULL check for pdata and pdata->addr before the memcpy in
>>>> i40iw_form_cm_frame(). This fixes a NULL pointer de-reference
>>>> which occurs when the MPA private data pointer is NULL. Also
>>>> only copy pdata->size bytes in the memcpy to prevent reading
>>>> past the length of the private data buffer provided by upper layer.
>>>>
>>>> Fixes: f27b4746f378 ("i40iw: add connection management code")
>>>>
>>>> Reported-by: Stefan Assmann <sassmann@xxxxxxxxxx>
>>>> Signed-off-by: Mustafa Ismail <mustafa.ismail@xxxxxxxxx>
>>>> Signed-off-by: Shiraz Saleem <shiraz.saleem@xxxxxxxxx>
>>>> ---
>>>> drivers/infiniband/hw/i40iw/i40iw_cm.c | 4 ++--
>>>> 1 file changed, 2 insertions(+), 2 deletions(-)
>>>>
>>>> diff --git a/drivers/infiniband/hw/i40iw/i40iw_cm.c b/drivers/infiniband/hw/i40iw/i40iw_cm.c
>>>> index 5026dc7..6434398 100644
>>>> --- a/drivers/infiniband/hw/i40iw/i40iw_cm.c
>>>> +++ b/drivers/infiniband/hw/i40iw/i40iw_cm.c
>>>> @@ -535,8 +535,8 @@ static struct i40iw_puda_buf *i40iw_form_cm_frame(struct i40iw_cm_node *cm_node,
>>>> buf += hdr_len;
>>>> }
>>>>
>>>> - if (pd_len)
>>>> - memcpy(buf, pdata->addr, pd_len);
>>>> + if (pdata && pdata->addr)
>>>> + memcpy(buf, pdata->addr, pdata->size);
>>>
>>> Is there a guarantee that pdata->size is always less than pd_len? Do
>>> you need a check here?
>>>
>>
>> pd_len is 'always' greater than or equal to pdata->size. In i40iw_form_cm_frame(),
>> pd_len starts out as pdata->size and then may be incremented by 4.
>>
>
> Thanks, I'll pull this in then.
>
Applied.
--
Doug Ledford <dledford@xxxxxxxxxx>
GPG Key ID: 0E572FDD
Attachment:
signature.asc
Description: OpenPGP digital signature
