On Sun, Mar 25, 2018 at 11:10:27AM +0300, Leon Romanovsky wrote:
> From: Leon Romanovsky <leonro@xxxxxxxxxxxx>
>
> Ensure that user provides valid AF family prior to query device address.
>
> Reported-by: <syzbot+2a2c48fc189ed5125b9c@xxxxxxxxxxxxxxxxxxxxxxxxx>
> Fixes: ee7aed4528fb ("RDMA/ucma: Support querying for AF_IB addresses")
> Signed-off-by: Leon Romanovsky <leonro@xxxxxxxxxxxx>
> drivers/infiniband/core/ucma.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c
> index 5db68d86070f..2178022badcc 100644
> +++ b/drivers/infiniband/core/ucma.c
> @@ -879,10 +879,13 @@ static ssize_t ucma_query_addr(struct ucma_context *ctx,
>
> addr = (struct sockaddr *) &ctx->cm_id->route.addr.src_addr;
> resp.src_size = rdma_addr_size(addr);
> - memcpy(&resp.src_addr, addr, resp.src_size);
> -
> addr = (struct sockaddr *) &ctx->cm_id->route.addr.dst_addr;
> resp.dst_size = rdma_addr_size(addr);
> +
> + if (!resp.src_size || !resp.dst_size)
> + return -EINVAL;
> +
> + memcpy(&resp.src_addr, addr, resp.src_size);
> memcpy(&resp.dst_addr, addr, resp.dst_size);
Woah, no, NAK! Moving the memcpy without revising addr breaks it.
.. and I don't understand this at all, how does 0 src_size cause a
null pointer deref?
memcpy(a,b,0) is OK right?
You need to explain what this fixes in the commit message...
Jason
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
