Fix integer overflow in create SRQ

If SRQ max_wr is too high, srq buf size calculation srq->buf_size = srq->max << srq->wqe_shift might overflow, resulting in crash on buffer access. The simplest solution is to limit max_wr since practically hardware does not support values bigger than 1 << 16. Signed-off-by: Michael S. Tsirkin <mst@mellanox.co.il> Signed-off-by: Roland Dreier <rolandd@cisco.com>
author: Michael S. Tsirkin <mst@mellanox.co.il> 2006-08-03 17:33:43 +0000
committer: Roland Dreier <rolandd@cisco.com> 2006-11-09 19:57:07 -0800
commit: 835c8581d5be0b2b7f44ec95781208d042f91b0c (patch)
tree: 30064a45d7ab58760b5df8d4d0f505fc7e18cd8e
parent: 9717f7c9edc33c99a4c253df42da9ff8c39f1119 (diff)
download: libmthca-835c8581d5be0b2b7f44ec95781208d042f91b0c.tar.gz
2 files changed, 6 insertions, 1 deletions
diff --git a/ChangeLog b/ChangeLog
index 5aefa0a..5f347dd 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2006-08-03  Michael S. Tsirkin  <mst@mellanox.co.il>
+
+	* src/verbs.c (mthca_create_srq): Limit SRQ max_wr to avoid
+	integer overflow.
+
 2006-07-26  Roland Dreier  <rdreier@cisco.com>
 
 	* src/mthca.h, src/ah.c, src/cq.c, src/memfree.c, src/qp.c,
diff --git a/src/verbs.c b/src/verbs.c
index 9bffe78..753adc2 100644
--- a/src/verbs.c
+++ b/src/verbs.c
@@ -368,7 +368,7 @@ struct ibv_srq *mthca_create_srq(struct ibv_pd *pd,
 	int                          ret;
 
 	/* Sanity check SRQ size before proceeding */
-	if (attr->attr.max_wr > 16 << 20 || attr->attr.max_sge > 64)
+	if (attr->attr.max_wr > 1 << 16 || attr->attr.max_sge > 64)
 		return NULL;
 
 	srq = malloc(sizeof *srq);
author	Michael S. Tsirkin <mst@mellanox.co.il>	2006-08-03 17:33:43 +0000
committer	Roland Dreier <rolandd@cisco.com>	2006-11-09 19:57:07 -0800
commit	835c8581d5be0b2b7f44ec95781208d042f91b0c (patch)
tree	30064a45d7ab58760b5df8d4d0f505fc7e18cd8e
parent	9717f7c9edc33c99a4c253df42da9ff8c39f1119 (diff)
download	libmthca-835c8581d5be0b2b7f44ec95781208d042f91b0c.tar.gz