svn commit: r341553 - head/sys/dev/mlx5/mlx5_ib
Slava Shwartsman
slavash at FreeBSD.org
Wed Dec 5 13:40:07 UTC 2018
Author: slavash
Date: Wed Dec 5 13:40:05 2018
New Revision: 341553
URL: https://svnweb.freebsd.org/changeset/base/341553
Log:
mlx5: Fix integer overflow while resizing CQ
The user can provide very large cqe_size which will cause to integer
overflow.
Linux commit:
28e9091e3119933c38933cb8fc48d5618eb784c8
Approved by: hselasky (mentor)
MFC after: 1 week
Sponsored by: Mellanox Technologies
Modified:
head/sys/dev/mlx5/mlx5_ib/mlx5_ib_cq.c
Modified: head/sys/dev/mlx5/mlx5_ib/mlx5_ib_cq.c
==============================================================================
--- head/sys/dev/mlx5/mlx5_ib/mlx5_ib_cq.c Wed Dec 5 13:39:35 2018 (r341552)
+++ head/sys/dev/mlx5/mlx5_ib/mlx5_ib_cq.c Wed Dec 5 13:40:05 2018 (r341553)
@@ -1124,7 +1124,12 @@ static int resize_user(struct mlx5_ib_dev *dev, struct
if (ucmd.reserved0 || ucmd.reserved1)
return -EINVAL;
- umem = ib_umem_get(context, ucmd.buf_addr, entries * ucmd.cqe_size,
+ /* check multiplication overflow */
+ if (ucmd.cqe_size && SIZE_MAX / ucmd.cqe_size <= entries - 1)
+ return -EINVAL;
+
+ umem = ib_umem_get(context, ucmd.buf_addr,
+ (size_t)ucmd.cqe_size * entries,
IB_ACCESS_LOCAL_WRITE, 1);
if (IS_ERR(umem)) {
err = PTR_ERR(umem);
More information about the svn-src-all
mailing list