Commit 9ed87fd3 authored Nov 20, 2007 by Jack Morgenstein Committed by Roland Dreier Nov 20, 2007

mlx4_core: Fix state check in mlx4_qp_modify()



When checking the states passed in, mlx4_qp_modify() accidentally checks
cur_state twice rather than checking cur_state and new_state.  Fix this
to make sure that both values are in-bounds.

Since these values may be passed in from userspace, this bug results in
userspace being able to trigger an oops.

Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
Cc: stable <stable@kernel.org>
Signed-off-by: Roland Dreier <rolandd@cisco.com>

parent 4187b915

drivers/net/mlx4/qp.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -113,7 +113,7 @@ int mlx4_qp_modify(struct mlx4_dev dev, struct mlx4_mtt mtt,
		struct mlx4_cmd_mailbox *mailbox;
		int ret = 0;

		if (cur_state >= MLX4_QP_NUM_STATE \|\| cur_state >= MLX4_QP_NUM_STATE \|\|
		if (cur_state >= MLX4_QP_NUM_STATE \|\| new_state >= MLX4_QP_NUM_STATE \|\|
		!op[cur_state][new_state])
		return -EINVAL;