On 11/21/2016 12:17 PM, Hal Rosenstock wrote: > I think there is also similar thing in missing check in ib_register_mad_agent where: > > /* > * Make sure MAD registration (if supplied) > * is non overlapping with any existing ones > */ > if (mad_reg_req) { > mgmt_class = convert_mgmt_class(mad_reg_req->mgmt_class); > if (!is_vendor_class(mgmt_class)) { > class = port_priv->version[mad_reg_req-> > mgmt_class_version].class; > if (class) { > method = class->method_table[mgmt_class]; > > so here the class' method_table is also accessed without checking mgmt_class for range violation, right ? Hello Hal, I think such a check is already present in ib_register_mad_agent(): if (mad_reg_req->mgmt_class >= MAX_MGMT_CLASS) { /* * IB_MGMT_CLASS_SUBN_DIRECTED_ROUTE is the only * one in this range currently allowed */ if (mad_reg_req->mgmt_class != IB_MGMT_CLASS_SUBN_DIRECTED_ROUTE) { dev_notice(&device->dev, "%s: Invalid Mgmt Class 0x%x\n", __func__, mad_reg_req->mgmt_class); goto error1; } } [ ... ] Bart. -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html