04ded16724
private_data_len is defined as a u8. If the user specifies a large private_data size (> 220 bytes), we will calculate a total length that exceeds 255, resulting in private_data_len wrapping back to 0. This can lead to overwriting random kernel memory. Avoid this by verifying that the resulting size fits into a u8. Reported-by: B. Thery <benjamin.thery@bull.net> Addresses: <http://bugs.openfabrics.org/bugzilla/show_bug.cgi?id=2335> Signed-off-by: Sean Hefty <sean.hefty@intel.com> Signed-off-by: Roland Dreier <roland@purestorage.com> |
||
---|---|---|
.. | ||
addr.c | ||
agent.c | ||
agent.h | ||
cache.c | ||
cm.c | ||
cm_msgs.h | ||
cma.c | ||
core_priv.h | ||
device.c | ||
fmr_pool.c | ||
iwcm.c | ||
iwcm.h | ||
mad.c | ||
mad_priv.h | ||
mad_rmpp.c | ||
mad_rmpp.h | ||
Makefile | ||
multicast.c | ||
netlink.c | ||
packer.c | ||
sa.h | ||
sa_query.c | ||
smi.c | ||
smi.h | ||
sysfs.c | ||
ucm.c | ||
ucma.c | ||
ud_header.c | ||
umem.c | ||
user_mad.c | ||
uverbs.h | ||
uverbs_cmd.c | ||
uverbs_main.c | ||
uverbs_marshall.c | ||
verbs.c |