From 30d149ab58cc3ed8e4bc9c4dc45bebbed0e84b6e Mon Sep 17 00:00:00 2001 From: Ralph Campbell Date: Mon, 18 Jun 2007 14:24:44 -0700 Subject: IB/ipath: Fix possible data corruption if multiple SGEs used for receive The code to copy data from the receive queue buffers to the IB SGEs doesn't check the SGE length, only the memory region/page length when copying data. This could overwrite parts of the user's memory that were not intended to be written. It can only happen if multiple SGEs are used to describe a receive buffer which almost never happens in practice. Signed-off-by: Ralph Campbell Signed-off-by: Roland Dreier --- drivers/infiniband/hw/ipath/ipath_ud.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'drivers/infiniband/hw/ipath/ipath_ud.c') diff --git a/drivers/infiniband/hw/ipath/ipath_ud.c b/drivers/infiniband/hw/ipath/ipath_ud.c index a518f7c8fa83..0b5a6ac1bb83 100644 --- a/drivers/infiniband/hw/ipath/ipath_ud.c +++ b/drivers/infiniband/hw/ipath/ipath_ud.c @@ -231,6 +231,8 @@ static void ipath_ud_loopback(struct ipath_qp *sqp, if (len > length) len = length; + if (len > sge->sge_length) + len = sge->sge_length; BUG_ON(len == 0); ipath_copy_sge(&rsge, sge->vaddr, len); sge->vaddr += len; -- cgit v1.2.1