summaryrefslogtreecommitdiffstats
path: root/src/drivers/infiniband
diff options
context:
space:
mode:
authorMichael Brown2016-03-30 08:31:51 +0200
committerMichael Brown2016-03-30 08:31:51 +0200
commit597521ef531b2d7f8ed264f33cba7517e11ab05e (patch)
tree4c4c653497e845a56e1d0012d5bf581d76a13a35 /src/drivers/infiniband
parent[linda] Validate payload length (diff)
downloadipxe-597521ef531b2d7f8ed264f33cba7517e11ab05e.tar.gz
ipxe-597521ef531b2d7f8ed264f33cba7517e11ab05e.tar.xz
ipxe-597521ef531b2d7f8ed264f33cba7517e11ab05e.zip
[qib7322] Validate payload length
There is no way for the hardware to give us an invalid length in the LRH, since it must have parsed this length field in order to perform header splitting. However, this is difficult to prove conclusively. Add an unnecessary length check to explicitly reject any packets larger than the posted receive I/O buffer. Signed-off-by: Michael Brown <mcb30@ipxe.org>
Diffstat (limited to 'src/drivers/infiniband')
-rw-r--r--src/drivers/infiniband/qib7322.c13
1 files changed, 10 insertions, 3 deletions
diff --git a/src/drivers/infiniband/qib7322.c b/src/drivers/infiniband/qib7322.c
index 3bd587ec..af7006e0 100644
--- a/src/drivers/infiniband/qib7322.c
+++ b/src/drivers/infiniband/qib7322.c
@@ -1507,8 +1507,15 @@ static void qib7322_complete_recv ( struct ib_device *ibdev,
/* Completing the eager buffer described in
* this header entry.
*/
- iob_put ( iobuf, payload_len );
- rc = ( err ? -EIO : ( useegrbfr ? 0 : -ECANCELED ) );
+ if ( payload_len <= iob_tailroom ( iobuf ) ) {
+ iob_put ( iobuf, payload_len );
+ rc = ( err ?
+ -EIO : ( useegrbfr ? 0 : -ECANCELED ) );
+ } else {
+ DBGC ( qib7322, "QIB7322 %p bad payload len "
+ "%zd\n", qib7322, payload_len );
+ rc = -EPROTO;
+ }
/* Redirect to target QP if necessary */
if ( qp != intended_qp ) {
DBGC2 ( qib7322, "QIB7322 %p redirecting QPN "
@@ -1519,7 +1526,7 @@ static void qib7322_complete_recv ( struct ib_device *ibdev,
intended_qp->recv.fill++;
}
ib_complete_recv ( ibdev, intended_qp, &dest, &source,
- iobuf, rc);
+ iobuf, rc );
} else {
/* Completing on a skipped-over eager buffer */
ib_complete_recv ( ibdev, qp, &dest, &source, iobuf,