On Wed, Dec 12, 2018 at 05:17:23PM +0530, P J P wrote: > From: Prasad J Pandit <p...@fedoraproject.org> > > When creating CQ/QP rings, an object can have up to > PVRDMA_MAX_FAST_REG_PAGES=128 pages. Check 'npages' parameter > to avoid excessive memory allocation or a null dereference. > > Reported-by: Li Qiang <liq...@163.com> > Signed-off-by: Prasad J Pandit <p...@fedoraproject.org> > --- > hw/rdma/vmw/pvrdma_cmd.c | 11 +++++++++++ > 1 file changed, 11 insertions(+) > > Update v1: move check before page dir/tbl map > -> https://lists.gnu.org/archive/html/qemu-devel/2018-12/msg02257.html > > diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c > index 4f616d4177..e37fb18280 100644 > --- a/hw/rdma/vmw/pvrdma_cmd.c > +++ b/hw/rdma/vmw/pvrdma_cmd.c > @@ -259,6 +259,11 @@ static int create_cq_ring(PCIDevice *pci_dev , > PvrdmaRing **ring, > int rc = -EINVAL; > char ring_name[MAX_RING_NAME_SZ]; > > + if (!nchunks || nchunks > PVRDMA_MAX_FAST_REG_PAGES) { > + pr_dbg("invalid nchunks: %d\n", nchunks); > + return rc; > + } > + > pr_dbg("pdir_dma=0x%llx\n", (long long unsigned int)pdir_dma); > dir = rdma_pci_dma_map(pci_dev, pdir_dma, TARGET_PAGE_SIZE); > if (!dir) { > @@ -371,6 +376,12 @@ static int create_qp_rings(PCIDevice *pci_dev, uint64_t > pdir_dma, > char ring_name[MAX_RING_NAME_SZ]; > uint32_t wqe_sz; > > + if (!spages || spages > PVRDMA_MAX_FAST_REG_PAGES > + || !rpages || rpages > PVRDMA_MAX_FAST_REG_PAGES) { > + pr_dbg("invalid pages: %d, %d\n", spages, rpages); > + return rc; > + } > + > pr_dbg("pdir_dma=0x%llx\n", (long long unsigned int)pdir_dma); > dir = rdma_pci_dma_map(pci_dev, pdir_dma, TARGET_PAGE_SIZE); > if (!dir) {
Thanks. Reviewed-by: Yuval Shaia <yuval.sh...@oracle.com> > -- > 2.19.2 >
