mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-10-30 08:02:30 +00:00
IB/mlx5: Fix data validation in mlx5_ib_alloc_ucontext
The wrong buffer size was passed to ib_is_udata_cleared. Signed-off-by: Haggai Abramovsky <hagaya@mellanox.com> Reviewed-by: Matan Barak <matanb@mellanox.com> Signed-off-by: Doug Ledford <dledford@redhat.com>
This commit is contained in:
parent
2deeb47729
commit
dfbee8598d
1 changed files with 4 additions and 1 deletions
|
@ -845,6 +845,9 @@ static struct ib_ucontext *mlx5_ib_alloc_ucontext(struct ib_device *ibdev,
|
|||
if (!dev->ib_active)
|
||||
return ERR_PTR(-EAGAIN);
|
||||
|
||||
if (udata->inlen < sizeof(struct ib_uverbs_cmd_hdr))
|
||||
return ERR_PTR(-EINVAL);
|
||||
|
||||
reqlen = udata->inlen - sizeof(struct ib_uverbs_cmd_hdr);
|
||||
if (reqlen == sizeof(struct mlx5_ib_alloc_ucontext_req))
|
||||
ver = 0;
|
||||
|
@ -871,7 +874,7 @@ static struct ib_ucontext *mlx5_ib_alloc_ucontext(struct ib_device *ibdev,
|
|||
|
||||
if (reqlen > sizeof(req) &&
|
||||
!ib_is_udata_cleared(udata, sizeof(req),
|
||||
udata->inlen - sizeof(req)))
|
||||
reqlen - sizeof(req)))
|
||||
return ERR_PTR(-EOPNOTSUPP);
|
||||
|
||||
req.total_num_uuars = ALIGN(req.total_num_uuars,
|
||||
|
|
Loading…
Reference in a new issue