From: Prasad J Pandit <p...@fedoraproject.org> When creating CQ/QP rings, an object can have up to PVRDMA_MAX_FAST_REG_PAGES=128 pages. Check 'npages' parameter to avoid excessive memory allocation or a null dereference.
Reported-by: Li Qiang <liq...@163.com> Signed-off-by: Prasad J Pandit <p...@fedoraproject.org> --- hw/rdma/vmw/pvrdma_cmd.c | 11 +++++++++++ 1 file changed, 11 insertions(+) Update: No change, ack'd v1 -> https://lists.gnu.org/archive/html/qemu-devel/2018-12/msg02786.html diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c index 4f616d4177..e37fb18280 100644 --- a/hw/rdma/vmw/pvrdma_cmd.c +++ b/hw/rdma/vmw/pvrdma_cmd.c @@ -259,6 +259,11 @@ static int create_cq_ring(PCIDevice *pci_dev , PvrdmaRing **ring, int rc = -EINVAL; char ring_name[MAX_RING_NAME_SZ]; + if (!nchunks || nchunks > PVRDMA_MAX_FAST_REG_PAGES) { + pr_dbg("invalid nchunks: %d\n", nchunks); + return rc; + } + pr_dbg("pdir_dma=0x%llx\n", (long long unsigned int)pdir_dma); dir = rdma_pci_dma_map(pci_dev, pdir_dma, TARGET_PAGE_SIZE); if (!dir) { @@ -371,6 +376,12 @@ static int create_qp_rings(PCIDevice *pci_dev, uint64_t pdir_dma, char ring_name[MAX_RING_NAME_SZ]; uint32_t wqe_sz; + if (!spages || spages > PVRDMA_MAX_FAST_REG_PAGES + || !rpages || rpages > PVRDMA_MAX_FAST_REG_PAGES) { + pr_dbg("invalid pages: %d, %d\n", spages, rpages); + return rc; + } + pr_dbg("pdir_dma=0x%llx\n", (long long unsigned int)pdir_dma); dir = rdma_pci_dma_map(pci_dev, pdir_dma, TARGET_PAGE_SIZE); if (!dir) { -- 2.19.2
