diff options
| author | Yuval Shaia | 2019-02-12 12:23:47 +0100 |
|---|---|---|
| committer | Marcel Apfelbaum | 2019-03-16 14:45:12 +0100 |
| commit | ade0075523478fa015afd5c6f6cc70681687818d (patch) | |
| tree | 3d0a0a2372ac8ec1e2b2810c6934da53f54ad059 /hw/rdma/vmw | |
| parent | Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20190315'... (diff) | |
| download | qemu-ade0075523478fa015afd5c6f6cc70681687818d.tar.gz qemu-ade0075523478fa015afd5c6f6cc70681687818d.tar.xz qemu-ade0075523478fa015afd5c6f6cc70681687818d.zip | |
contrib/rdmacm-mux: Fix out-of-bounds risk
The function get_fd extract context from the received MAD message and
uses it as a key to fetch the destination fd from the mapping table.
A context can be dgid in case of CM request message or comm_id in case
of CM SIDR response message.
When MAD message with a smaller size as expected for the message type
received we are hitting out-of-bounds where we are looking for the
context out of message boundaries.
Fix it by validating the message size.
Reported-by Sam Smith <sam.j.smith@oracle.com>
Signed-off-by: Yuval Shaia <yuval.shaia@oracle.com>
Message-Id: <20190212112347.1605-1-yuval.shaia@oracle.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
Diffstat (limited to 'hw/rdma/vmw')
0 files changed, 0 insertions, 0 deletions