redonkable
/
alistair23-linux
1
0
Fork 0
Code Releases Activity

RDAM/netlink: Fix out-of-bound access while checking message validity 

The netlink message sent with type == 0, which doesn't have any client
behind it, caused to the overflow in max_num_ops array.

Fix it by declaring zero number of ops for the first client.

Fixes: c9901724a2 ("RDMA/netlink: Remove netlink clients infrastructure")
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
hifive-unleashed-5.1
Leon Romanovsky 2017-09-08 13:02:26 +03:00 committed by Linus Torvalds
parent 5969d1bb30
commit 8b2c7e7a3c
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
drivers/infiniband/core/netlink.c
View File

@ -57,7 +57,8 @@ EXPORT_SYMBOL(rdma_nl_chk_listeners);
static bool is_nl_msg_valid(unsigned int type, unsigned int op)
{
static const unsigned int max_num_ops[RDMA_NL_NUM_CLIENTS - 1] = {
static const unsigned int max_num_ops[RDMA_NL_NUM_CLIENTS] = {
0,
RDMA_NL_RDMA_CM_NUM_OPS,
RDMA_NL_IWPM_NUM_OPS,
0,
@ -70,10 +71,10 @@ static bool is_nl_msg_valid(unsigned int type, unsigned int op)
*/
BUILD_BUG_ON(RDMA_NL_NUM_CLIENTS != 6);
if (type > RDMA_NL_NUM_CLIENTS - 1)
if (type >= RDMA_NL_NUM_CLIENTS)
return false;
return (op < max_num_ops[type - 1]) ? true : false;
return (op < max_num_ops[type]) ? true : false;
}
static bool is_nl_valid(unsigned int type, unsigned int op)