diff options
author | Roland Dreier <rolandd@cisco.com> | 2008-02-18 10:33:59 -0800 |
---|---|---|
committer | Roland Dreier <rolandd@cisco.com> | 2008-02-18 10:33:59 -0800 |
commit | 51af33e8e45b845d8ee85446f58e31bc4c118048 (patch) | |
tree | 5d82fbb684c0adc0a01f2277f93fab7da2ac3810 /include | |
parent | edd2fd643c500c812cae5b0d314ab9db9f959898 (diff) |
RDMA/nes: Fix possible array overrun
In nes_create_qp(), the test
if (nesqp->mmap_sq_db_index > NES_MAX_USER_WQ_REGIONS) {
is used to error out if the db_index is too large; however, if the
test doesn't trigger, then the index is used as
nes_ucontext->mmap_nesqp[nesqp->mmap_sq_db_index] = nesqp;
and mmap_nesqp is declared as
struct nes_qp *mmap_nesqp[NES_MAX_USER_WQ_REGIONS];
which leads to an array overrun if the index is exactly equal to
NES_MAX_USER_WQ_REGIONS. Fix this by bailing out if the index is
greater than or equal to NES_MAX_USER_WQ_REGIONS.
This was spotted by the Coverity checker (CID 2162).
Acked-by: Glenn Streiff <gstreiff@neteffect.com>
Signed-off-by: Roland Dreier <rolandd@cisco.com>
Diffstat (limited to 'include')
0 files changed, 0 insertions, 0 deletions