On 26/8/2013 10:01 PM, Roland Dreier wrote:
On Wed, Aug 14, 2013 at 3:58 AM, Or Gerlitz <ogerl...@mellanox.com> wrote:
+ if (cmd.flow_attr.num_of_specs) {
+ kern_flow_attr = kmalloc(cmd.flow_attr.size, GFP_KERNEL);
+ if (!kern_flow_attr)
+ return -ENOMEM;
+
+ memcpy(kern_flow_attr, &cmd.flow_attr, sizeof(*kern_flow_attr));
+ kern_attr_size = cmd.flow_attr.size - sizeof(cmd) -
sizeof(struct ib_uverbs_cmd_hdr_ex);
+ if (copy_from_user(kern_flow_attr + 1, buf + sizeof(cmd),
+ kern_attr_size)) {
+ err = -EFAULT;
+ goto err_free_attr;
+ }
+ } else {
This looks risky... it's basically taking size fields passed in from
userspace and trusting them enough to pass directly to kmalloc. In
fact kern_attr_size is a plain int and I don't see even enogh checking
to make sure it's positive (nothing I see enforces that
cmd.flow_attr.size > sizeof(cmd) + sizeof(struct
ib_uverbs_cmd_hdr_ex)).
- R.
You are correct. We'll fix it in V6.
- Matan
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html