diff options
author | Michael S. Tsirkin <mst@mellanox.co.il> | 2006-08-03 17:33:43 +0000 |
---|---|---|
committer | Roland Dreier <rolandd@cisco.com> | 2006-11-09 19:57:07 -0800 |
commit | 835c8581d5be0b2b7f44ec95781208d042f91b0c (patch) | |
tree | 30064a45d7ab58760b5df8d4d0f505fc7e18cd8e | |
parent | 9717f7c9edc33c99a4c253df42da9ff8c39f1119 (diff) | |
download | libmthca-835c8581d5be0b2b7f44ec95781208d042f91b0c.tar.gz |
Fix integer overflow in create SRQ
If SRQ max_wr is too high, srq buf size calculation srq->buf_size =
srq->max << srq->wqe_shift might overflow, resulting in crash on
buffer access.
The simplest solution is to limit max_wr since practically hardware
does not support values bigger than 1 << 16.
Signed-off-by: Michael S. Tsirkin <mst@mellanox.co.il>
Signed-off-by: Roland Dreier <rolandd@cisco.com>
-rw-r--r-- | ChangeLog | 5 | ||||
-rw-r--r-- | src/verbs.c | 2 |
2 files changed, 6 insertions, 1 deletions
@@ -1,3 +1,8 @@ +2006-08-03 Michael S. Tsirkin <mst@mellanox.co.il> + + * src/verbs.c (mthca_create_srq): Limit SRQ max_wr to avoid + integer overflow. + 2006-07-26 Roland Dreier <rdreier@cisco.com> * src/mthca.h, src/ah.c, src/cq.c, src/memfree.c, src/qp.c, diff --git a/src/verbs.c b/src/verbs.c index 9bffe78..753adc2 100644 --- a/src/verbs.c +++ b/src/verbs.c @@ -368,7 +368,7 @@ struct ibv_srq *mthca_create_srq(struct ibv_pd *pd, int ret; /* Sanity check SRQ size before proceeding */ - if (attr->attr.max_wr > 16 << 20 || attr->attr.max_sge > 64) + if (attr->attr.max_wr > 1 << 16 || attr->attr.max_sge > 64) return NULL; srq = malloc(sizeof *srq); |