RDMA/nes: Fix possible array overrun

In nes_create_qp(), the test if (nesqp->mmap_sq_db_index > NES_MAX_USER_WQ_REGIONS) { is used to error out if the db_index is too large; however, if the test doesn't trigger, then the index is used as nes_ucontext->mmap_nesqp[nesqp->mmap_sq_db_index] = nesqp; and mmap_nesqp is declared as struct nes_qp *mmap_nesqp[NES_MAX_USER_WQ_REGIONS]; which leads to an array overrun if the index is exactly equal to NES_MAX_USER_WQ_REGIONS. Fix this by bailing out if the index is greater than or equal to NES_MAX_USER_WQ_REGIONS. This was spotted by the Coverity checker (CID 2162). Acked-by: Glenn Streiff <gstreiff@neteffect.com> Signed-off-by: Roland Dreier <rolandd@cisco.com>
git-mirror · Feb 18, 2008 · 51af33e · 51af33e
1 parent edd2fd6
commit 51af33e
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/drivers/infiniband/hw/nes/nes_verbs.c b/drivers/infiniband/hw/nes/nes_verbs.c
@@ -1337,7 +1337,7 @@ static struct ib_qp *nes_create_qp(struct ib_pd *ibpd,
 								   NES_MAX_USER_WQ_REGIONS, nes_ucontext->first_free_wq);
 					/* nes_debug(NES_DBG_QP, "find_first_zero_biton wqs returned %u\n",
 							nespd->mmap_db_index); */
-					if (nesqp->mmap_sq_db_index > NES_MAX_USER_WQ_REGIONS) {
+					if (nesqp->mmap_sq_db_index >= NES_MAX_USER_WQ_REGIONS) {
 						nes_debug(NES_DBG_QP,
 							  "db index > max user regions, failing create QP\n");
 						nes_free_resource(nesadapter, nesadapter->allocated_qps, qp_num);