From: Roland Dreier Date: Fri, 18 Nov 2005 22:18:26 +0000 (-0800) Subject: IB/umad: make sure write()s have sufficient data X-Git-Tag: firefly_0821_release~39906^2 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=eabc77935d8d2a761c88b9cbb6313bd54b6ddbb3;p=firefly-linux-kernel-4.4.55.git IB/umad: make sure write()s have sufficient data Make sure that userspace passes in enough data when sending a MAD. We always copy at least sizeof (struct ib_user_mad) + IB_MGMT_RMPP_HDR bytes from userspace, so anything less is definitely invalid. Also, if the length is less than this limit, it's possible for the second copy_from_user() to get a negative length and trigger a BUG(). Signed-off-by: Roland Dreier --- diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c index 5ea741f47fc8..e73f81c22381 100644 --- a/drivers/infiniband/core/user_mad.c +++ b/drivers/infiniband/core/user_mad.c @@ -312,7 +312,7 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf, int ret, length, hdr_len, copy_offset; int rmpp_active = 0; - if (count < sizeof (struct ib_user_mad)) + if (count < sizeof (struct ib_user_mad) + IB_MGMT_RMPP_HDR) return -EINVAL; length = count - sizeof (struct ib_user_mad);