net/mlx4: Fix memory corruption in mlx4_MAD_IFC_wrapper
authorMatan Barak <matanb@mellanox.com>
Tue, 27 Jan 2015 13:58:07 +0000 (15:58 +0200)
committerDavid S. Miller <davem@davemloft.net>
Wed, 28 Jan 2015 01:12:58 +0000 (17:12 -0800)
Fix a memory corruption at mlx4_MAD_IFC_wrapper.

A table of size dev->caps.pkey_table_len[port]*sizeof(*table)
was allocated, but get_full_pkey_table() assumes that the number
of entries in the table is a multiplication of 32 (which isn't always
correct).

Fixes: 0a9a018 ('mlx4: MAD_IFC paravirtualization')
Signed-off-by: Matan Barak <matanb@mellanox.com>
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: Amir Vadai <amirv@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/ethernet/mellanox/mlx4/cmd.c

index 928b7065732c338e16dbf2f6fc771a766ff642ee..154effbfd8bef5b49f6ab06a381e1fa4db289c2c 100644 (file)
@@ -901,7 +901,9 @@ static int mlx4_MAD_IFC_wrapper(struct mlx4_dev *dev, int slave,
                                index = be32_to_cpu(smp->attr_mod);
                                if (port < 1 || port > dev->caps.num_ports)
                                        return -EINVAL;
-                               table = kcalloc(dev->caps.pkey_table_len[port], sizeof *table, GFP_KERNEL);
+                               table = kcalloc((dev->caps.pkey_table_len[port] / 32) + 1,
+                                               sizeof(*table) * 32, GFP_KERNEL);
+
                                if (!table)
                                        return -ENOMEM;
                                /* need to get the full pkey table because the paravirtualized