Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 12 Dec 2018 12:00:51 +0000 (UTC)
From:      Hans Petter Selasky <hselasky@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject:   svn commit: r341920 - stable/11/sys/dev/mlx5/mlx5_ib
Message-ID:  <201812121200.wBCC0pSf064333@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: hselasky
Date: Wed Dec 12 12:00:51 2018
New Revision: 341920
URL: https://svnweb.freebsd.org/changeset/base/341920

Log:
  MFC r341553:
  mlx5: Fix integer overflow while resizing CQ
  
  The user can provide very large cqe_size which will cause to integer
  overflow.
  
  Linux commit:
  28e9091e3119933c38933cb8fc48d5618eb784c8
  
  Sponsored by:   Mellanox Technologies

Modified:
  stable/11/sys/dev/mlx5/mlx5_ib/mlx5_ib_cq.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/dev/mlx5/mlx5_ib/mlx5_ib_cq.c
==============================================================================
--- stable/11/sys/dev/mlx5/mlx5_ib/mlx5_ib_cq.c	Wed Dec 12 12:00:34 2018	(r341919)
+++ stable/11/sys/dev/mlx5/mlx5_ib/mlx5_ib_cq.c	Wed Dec 12 12:00:51 2018	(r341920)
@@ -1124,7 +1124,12 @@ static int resize_user(struct mlx5_ib_dev *dev, struct
 	if (ucmd.reserved0 || ucmd.reserved1)
 		return -EINVAL;
 
-	umem = ib_umem_get(context, ucmd.buf_addr, entries * ucmd.cqe_size,
+	/* check multiplication overflow */
+	if (ucmd.cqe_size && SIZE_MAX / ucmd.cqe_size <= entries - 1)
+		return -EINVAL;
+
+	umem = ib_umem_get(context, ucmd.buf_addr,
+			   (size_t)ucmd.cqe_size * entries,
 			   IB_ACCESS_LOCAL_WRITE, 1);
 	if (IS_ERR(umem)) {
 		err = PTR_ERR(umem);



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201812121200.wBCC0pSf064333>