RDMA/cxgb4: Add a sanity check in process_work()

The story is that Smatch marks skb->data as untrusted so it generates
a warning message here:

    drivers/infiniband/hw/cxgb4/cm.c:4100 process_work()
    error: buffer overflow 'work_handlers' 241 <= 255

In other places which handle this such as t4_uld_rx_handler() there is
some checking to make sure that the function pointer is not NULL.  I
have added bounds checking and a check for NULL here as well.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Steve Wise <swise@opengridcomputing.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>

diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c
index 21db3b48a61700902494e488795a342abbf765bb..844c9e78df8b365a1023d1f5c3ef2bfa04ea3327 100644 (file)
--- a/drivers/infiniband/hw/cxgb4/cm.c
+++ b/drivers/infiniband/hw/cxgb4/cm.c
@@ -4097,9 +4097,15 @@ static void process_work(struct work_struct *work)
                dev = *((struct c4iw_dev **) (skb->cb + sizeof(void *)));
                opcode = rpl->ot.opcode;
 
-               ret = work_handlers[opcode](dev, skb);
-               if (!ret)
+               if (opcode >= ARRAY_SIZE(work_handlers) ||
+                   !work_handlers[opcode]) {
+                       pr_err("No handler for opcode 0x%x.\n", opcode);
                        kfree_skb(skb);
+               } else {
+                       ret = work_handlers[opcode](dev, skb);
+                       if (!ret)
+                               kfree_skb(skb);
+               }
                process_timedout_eps();
        }
 }