diff options
| author | Prasad J Pandit <pjp@fedoraproject.org> | 2018-12-13 01:00:34 +0530 |
|---|---|---|
| committer | Marcel Apfelbaum <marcel.apfelbaum@gmail.com> | 2018-12-22 11:09:57 +0200 |
| commit | 0e68373cc2b3a063ce067bc0cc3edaf370752890 (patch) | |
| tree | aaf689ada6d7b8f1cc0dcde50100213a86470762 /hw/rdma | |
| parent | cce648613bc802be1b894227f7fd94d88476ea07 (diff) | |
rdma: check num_sge does not exceed MAX_SGE
rdma back-end has scatter/gather array ibv_sge[MAX_SGE=4] set
to have 4 elements. A guest could send a 'PvrdmaSqWqe' ring element
with 'num_sge' set to > MAX_SGE, which may lead to OOB access issue.
Add check to avoid it.
Reported-by: Saar Amar <saaramar5@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
Diffstat (limited to 'hw/rdma')
| -rw-r--r-- | hw/rdma/rdma_backend.c | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/hw/rdma/rdma_backend.c b/hw/rdma/rdma_backend.c index ae1e4dcb29..bd4710d16f 100644 --- a/hw/rdma/rdma_backend.c +++ b/hw/rdma/rdma_backend.c @@ -476,9 +476,9 @@ void rdma_backend_post_send(RdmaBackendDev *backend_dev, } pr_dbg("num_sge=%d\n", num_sge); - if (!num_sge) { - pr_dbg("num_sge=0\n"); - complete_work(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx); + if (!num_sge || num_sge > MAX_SGE) { + pr_dbg("invalid num_sge=%d\n", num_sge); + complete_work(IBV_WC_GENERAL_ERR, VENDOR_ERR_INV_NUM_SGE, ctx); return; } @@ -603,9 +603,9 @@ void rdma_backend_post_recv(RdmaBackendDev *backend_dev, } pr_dbg("num_sge=%d\n", num_sge); - if (!num_sge) { - pr_dbg("num_sge=0\n"); - complete_work(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx); + if (!num_sge || num_sge > MAX_SGE) { + pr_dbg("invalid num_sge=%d\n", num_sge); + complete_work(IBV_WC_GENERAL_ERR, VENDOR_ERR_INV_NUM_SGE, ctx); return; } |