| commit | 0e68373cc2b3a063ce067bc0cc3edaf370752890 | |
| author | Prasad J Pandit <pjp@fedoraproject.org> | |
| Wed, 12 Dec 2018 19:30:34 +0000 (13 01:00 +0530) | ||
| committer | Marcel Apfelbaum <marcel.apfelbaum@gmail.com> | |
| Sat, 22 Dec 2018 09:09:57 +0000 (22 11:09 +0200) | ||
| tree | aaf689ada6d7b8f1cc0dcde50100213a86470762 | treesnapshot (tar.gz zip) |
| parent | cce648613bc802be1b894227f7fd94d88476ea07 | commitdiff |
rdma: check num_sge does not exceed MAX_SGE
rdma back-end has scatter/gather array ibv_sge[MAX_SGE=4] set
to have 4 elements. A guest could send a 'PvrdmaSqWqe' ring element
with 'num_sge' set to > MAX_SGE, which may lead to OOB access issue.
Add check to avoid it.
Reported-by: Saar Amar <saaramar5@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
rdma back-end has scatter/gather array ibv_sge[MAX_SGE=4] set
to have 4 elements. A guest could send a 'PvrdmaSqWqe' ring element
with 'num_sge' set to > MAX_SGE, which may lead to OOB access issue.
Add check to avoid it.
Reported-by: Saar Amar <saaramar5@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
| hw/rdma/rdma_backend.c | diffblobblamehistory |