diff options
| author | Conrad Meyer <cem@FreeBSD.org> | 2015-10-20 19:20:52 +0000 |
|---|---|---|
| committer | Conrad Meyer <cem@FreeBSD.org> | 2015-10-20 19:20:52 +0000 |
| commit | 2d6501b281e9b30763b9f910b20bb6ca53bb1ed5 (patch) | |
| tree | dc1ed64071b10dfb772714d88264749b9ffe8ae6 /sys/dev/ntb/if_ntb/if_ntb.c | |
| parent | 4994fe1295653f4fcb2dcb31e5ca7796f3c2b7ef (diff) | |
| download | src-2d6501b281e9b30763b9f910b20bb6ca53bb1ed5.tar.gz src-2d6501b281e9b30763b9f910b20bb6ca53bb1ed5.zip | |
NTB: MFV 8c9edf63: Fix zero size or integer overflow in ntb_set_mw
A plain 32 bit integer will overflow for values over 4GiB.
Change the plain integer size to the appropriate size type in
ntb_set_mw. Change the type of the size parameter and two local
variables used for size.
Even if there is no overflow, a size of zero is invalid here.
Authored by: Allen Hubbe
Reported by: Juyoung Jung
Obtained from: Linux (Dual BSD/GPL driver)
Sponsored by: EMC / Isilon Storage Division
Notes
Notes:
svn path=/head/; revision=289652
Diffstat (limited to 'sys/dev/ntb/if_ntb/if_ntb.c')
| -rw-r--r-- | sys/dev/ntb/if_ntb/if_ntb.c | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/sys/dev/ntb/if_ntb/if_ntb.c b/sys/dev/ntb/if_ntb/if_ntb.c index d2bfb59f0a0c..23cc9968c93f 100644 --- a/sys/dev/ntb/if_ntb/if_ntb.c +++ b/sys/dev/ntb/if_ntb/if_ntb.c @@ -295,7 +295,7 @@ static void ntb_complete_rxc(void *arg, int pending); static void ntb_transport_doorbell_callback(void *data, uint32_t vector); static void ntb_transport_event_callback(void *data); static void ntb_transport_link_work(void *arg); -static int ntb_set_mw(struct ntb_transport_ctx *, int num_mw, unsigned size); +static int ntb_set_mw(struct ntb_transport_ctx *, int num_mw, size_t size); static void ntb_free_mw(struct ntb_transport_ctx *nt, int num_mw); static int ntb_transport_setup_qp_mw(struct ntb_transport_ctx *nt, unsigned int qp_num); @@ -1266,12 +1266,15 @@ out: } static int -ntb_set_mw(struct ntb_transport_ctx *nt, int num_mw, unsigned size) +ntb_set_mw(struct ntb_transport_ctx *nt, int num_mw, size_t size) { struct ntb_transport_mw *mw = &nt->mw_vec[num_mw]; - unsigned xlat_size, buff_size; + size_t xlat_size, buff_size; int rc; + if (size == 0) + return (EINVAL); + xlat_size = roundup(size, mw->xlat_align_size); buff_size = roundup(size, mw->xlat_align); @@ -1305,7 +1308,7 @@ ntb_set_mw(struct ntb_transport_ctx *nt, int num_mw, unsigned size) */ if (mw->dma_addr % mw->xlat_align != 0) { if_printf(nt->ifp, - "DMA memory 0x%jx not aligned to BAR size 0x%x\n", + "DMA memory 0x%jx not aligned to BAR size 0x%zx\n", (uintmax_t)mw->dma_addr, size); ntb_free_mw(nt, num_mw); return (ENOMEM); |