diff options
author | Yuval Shaia | 2018-04-30 22:02:20 +0200 |
---|---|---|
committer | Marcel Apfelbaum | 2018-05-03 19:52:29 +0200 |
commit | c387e8a4ecee76479f4b83b58e2e8ab854ef74ee (patch) | |
tree | bcbebea63cdb7999efc51c5a57823d88c99c1fd5 /hw/rdma/vmw | |
parent | hw/rdma: Delete port's pkey table (diff) | |
download | qemu-c387e8a4ecee76479f4b83b58e2e8ab854ef74ee.tar.gz qemu-c387e8a4ecee76479f4b83b58e2e8ab854ef74ee.tar.xz qemu-c387e8a4ecee76479f4b83b58e2e8ab854ef74ee.zip |
hw/rdma: Fix possible out of bounds access to GID table
Array size is MAX_PORT_GIDS, let's make sure the given index is in
range.
While there limit device table size to 1.
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Yuval Shaia <yuval.shaia@oracle.com>
Reviewed-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
Message-Id: <20180430200223.4119-5-marcel.apfelbaum@gmail.com>
Diffstat (limited to 'hw/rdma/vmw')
-rw-r--r-- | hw/rdma/vmw/pvrdma_cmd.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c index f9dd78cb27..14255d609f 100644 --- a/hw/rdma/vmw/pvrdma_cmd.c +++ b/hw/rdma/vmw/pvrdma_cmd.c @@ -576,7 +576,7 @@ static int create_bind(PVRDMADev *dev, union pvrdma_cmd_req *req, pr_dbg("index=%d\n", cmd->index); - if (cmd->index > MAX_PORT_GIDS) { + if (cmd->index >= MAX_PORT_GIDS) { return -EINVAL; } @@ -603,7 +603,11 @@ static int destroy_bind(PVRDMADev *dev, union pvrdma_cmd_req *req, { struct pvrdma_cmd_destroy_bind *cmd = &req->destroy_bind; - pr_dbg("clear index %d\n", cmd->index); + pr_dbg("index=%d\n", cmd->index); + + if (cmd->index >= MAX_PORT_GIDS) { + return -EINVAL; + } memset(dev->rdma_dev_res.ports[0].gid_tbl[cmd->index].raw, 0, sizeof(dev->rdma_dev_res.ports[0].gid_tbl[cmd->index].raw)); |