Techwizz/kernel-fxtec-pro1x
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

RDMA/cma: Check for NULL conn_param in rdma_accept

Browse source 
Check that conn_param is not null before dereferencing it when
processing rdma_accept().  This is necessary to prevent a possible
system crash, which can be caused by user space.

Problem found by code inspection.

Signed-off-by: Sean Hefty <sean.hefty@intel.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>
This commit is contained in:
Hefty, Sean 2011-10-06 09:33:04 -07:00 committed by Roland Dreier
parent 10889a3643
commit f45ee80eb0
1 changed files with 23 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

38
drivers/infiniband/core/cma.c
View file

@ -2616,14 +2616,16 @@ static int cma_connect_iw(struct rdma_id_private *id_priv,
if (ret) if (ret)
goto out; goto out;
iw_param.ord = conn_param->initiator_depth; if (conn_param) {
iw_param.ird = conn_param->responder_resources; iw_param.ord = conn_param->initiator_depth;
iw_param.private_data = conn_param->private_data; iw_param.ird = conn_param->responder_resources;
iw_param.private_data_len = conn_param->private_data_len; iw_param.private_data = conn_param->private_data;
if (id_priv->id.qp) iw_param.private_data_len = conn_param->private_data_len;
iw_param.qpn = id_priv->id.qp ? id_priv->qp_num : conn_param->qp_num;
} else {
memset(&iw_param, 0, sizeof iw_param);
iw_param.qpn = id_priv->qp_num; iw_param.qpn = id_priv->qp_num;
else }
iw_param.qpn = conn_param->qp_num;
ret = iw_cm_connect(cm_id, &iw_param); ret = iw_cm_connect(cm_id, &iw_param);
out: out:
if (ret) { if (ret) {
@ -2765,14 +2767,20 @@ int rdma_accept(struct rdma_cm_id *id, struct rdma_conn_param *conn_param)
switch (rdma_node_get_transport(id->device->node_type)) { switch (rdma_node_get_transport(id->device->node_type)) {
case RDMA_TRANSPORT_IB: case RDMA_TRANSPORT_IB:
if (id->qp_type == IB_QPT_UD) if (id->qp_type == IB_QPT_UD) {
ret = cma_send_sidr_rep(id_priv, IB_SIDR_SUCCESS, if (conn_param)
conn_param->private_data, ret = cma_send_sidr_rep(id_priv, IB_SIDR_SUCCESS,
conn_param->private_data_len); conn_param->private_data,
else if (conn_param) conn_param->private_data_len);
ret = cma_accept_ib(id_priv, conn_param); else
else ret = cma_send_sidr_rep(id_priv, IB_SIDR_SUCCESS,
ret = cma_rep_recv(id_priv); NULL, 0);
} else {
if (conn_param)
ret = cma_accept_ib(id_priv, conn_param);
else
ret = cma_rep_recv(id_priv);
}
break; break;
case RDMA_TRANSPORT_IWARP: case RDMA_TRANSPORT_IWARP:
ret = cma_accept_iw(id_priv, conn_param); ret = cma_accept_iw(id_priv, conn_param);