From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Tue, 5 Dec 2017 17:39:23 +0300
Subject: IB/mlx4: Potential buffer overflow in _mlx4_set_path()
Patch-mainline: v4.16-rc1
Git-commit: 54a6d63f14bdb4e899bbb4128d32717074d13862
References: bsc#1103988 FATE#326003
Smatch complains about this code:
drivers/infiniband/hw/mlx4/qp.c:1827 _mlx4_set_path()
error: buffer overflow 'dev->dev->caps.gid_table_len' 3 <= 255
The mlx4_ib_gid_index_to_real_index() does check that "port" is within
bounds, but we don't check the return value for errors. It seems simple
enough to add a check for that.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Acked-by: Thomas Bogendoerfer <tbogendoerfer@suse.de>
---
drivers/infiniband/hw/mlx4/qp.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/infiniband/hw/mlx4/qp.c
+++ b/drivers/infiniband/hw/mlx4/qp.c
@@ -1836,6 +1836,8 @@ static int _mlx4_set_path(struct mlx4_ib
mlx4_ib_gid_index_to_real_index(dev, port,
grh->sgid_index);
+ if (real_sgid_index < 0)
+ return real_sgid_index;
if (real_sgid_index >= dev->dev->caps.gid_table_len[port]) {
pr_err("sgid_index (%u) too large. max is %d\n",
real_sgid_index, dev->dev->caps.gid_table_len[port] - 1);