IB/umad: make sure write()s have sufficient data
Make sure that userspace passes in enough data when sending a MAD. We always copy at least sizeof (struct ib_user_mad) + IB_MGMT_RMPP_HDR bytes from userspace, so anything less is definitely invalid. Also, if the length is less than this limit, it's possible for the second copy_from_user() to get a negative length and trigger a BUG(). Signed-off-by: Roland Dreier <rolandd@cisco.com>
This commit is contained in:
parent
48fd0d1fdd
commit
eabc77935d
1 changed files with 1 additions and 1 deletions
|
@ -312,7 +312,7 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf,
|
|||
int ret, length, hdr_len, copy_offset;
|
||||
int rmpp_active = 0;
|
||||
|
||||
if (count < sizeof (struct ib_user_mad))
|
||||
if (count < sizeof (struct ib_user_mad) + IB_MGMT_RMPP_HDR)
|
||||
return -EINVAL;
|
||||
|
||||
length = count - sizeof (struct ib_user_mad);
|
||||
|
|
Loading…
Reference in a new issue