On Tue, May 15, 2018 at 05:09:48PM +0300, Leon Romanovsky wrote:
> + /* each counter entry have both index and description */
> + mcounters->counters_data = kcalloc(ncounters * 2,
> + sizeof(u32),
> + GFP_KERNEL);
This is the wrong way to use kcalloc, math on the untrusted value is
not permitted, it should be written as:
kcalloc(ncounters, sizeof(u32) * 2, GFP_KERNEL);
> + /* init the fields for the object */
> + mcounters->type = counters_type;
> + mcounters->read_counters = read_flow_counters;
> + mcounters->counters_num = ARRAY_SIZE(basic_flow_cnts);
> + mcounters->ncounters = ncounters;
> + desc = mcounters->counters_data;
> + index = desc + ncounters;
Why build a struct as two concatenated arrays? That is so strange. And
it comes from user space like that too? Gross.
Why isn't it an array of
struct counter_desc {
u32 type
u32 index;
??
Jason
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
