Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit 4f7f4dcf authored by Vlad Tsyrklevich's avatar Vlad Tsyrklevich Committed by Doug Ledford
Browse files

infiniband/uverbs: Fix integer overflows 



The 'num_sge' variable is verfied to be smaller than the 'sge_count'
variable; however, since both are user-controlled it's possible to cause
an integer overflow for the kmalloc multiply on 32-bit platforms
(num_sge and sge_count are both defined u32). By crafting an input that
causes a smaller-than-expected allocation it's possible to write
controlled data out-of-bounds.

Signed-off-by: default avatarVlad Tsyrklevich <vlad@tsyrklevich.net>
Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
parent 5b0ff9a0
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment