commit 6bcca3d4a3bcc9859cf001a0a21c8796edae2dc0
author Yann Droneaud <ydroneaud@opteya.com> Wed Dec 11 23:01:52 2013 +0100
committer Roland Dreier <roland@purestorage.com> Fri Dec 20 10:54:33 2013 -0800
tree a577a4d85acbb4fef1b1c4f28929ed12f20310aa
parent 98a37510ec1452817600d8ea47cff1d9f8d9bec8

IB/uverbs: Check input length in flow steering uverbs

Since ib_copy_from_udata() doesn't check yet the available input data
length before accessing userspace memory, an explicit check of this
length is required to prevent:

- reading past the user provided buffer,
- underflow when subtracting the expected command size from the input
  length.

This will ensure the newly added flow steering uverbs don't try to
process truncated commands.

Link: http://marc.info/?i=cover.1386798254.git.ydroneaud@opteya.com>
Signed-off-by: Yann Droneaud <ydroneaud@opteya.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>

drivers/infiniband/core/uverbs_cmd.c

diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index 45fb80b..f1cc838 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2649,6 +2649,9 @@
 	void *ib_spec;
 	int i;
 
+	if (ucore->inlen < sizeof(cmd))
+		return -EINVAL;
+
 	if (ucore->outlen < sizeof(resp))
 		return -ENOSPC;
 
@@ -2799,6 +2802,9 @@
 	struct ib_uobject		*uobj;
 	int				ret;
 
+	if (ucore->inlen < sizeof(cmd))
+		return -EINVAL;
+
 	ret = ib_copy_from_udata(&cmd, ucore, sizeof(cmd));
 	if (ret)
 		return ret;