qed: potential overflow in qed_cxt_src_t2_alloc()

In the current code "ent_per_page" could be more than "conn_num" making "conn_num" negative after the subtraction. In the next iteration through the loop then the negative is treated as a very high positive meaning we don't put a limit on "ent_num". It could lead to memory corruption. Fixes: dbb799c3 ('qed: Initialize hardware for new protocols') Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Yuval Mintz <Yuval.Mintz@qlogic.com> Signed-off-by: David S. Miller <davem@davemloft.net>

qed: potential overflow in qed_cxt_src_t2_alloc()
In the current code "ent_per_page" could be more than "conn_num" making "conn_num" negative after the subtraction. In the next iteration through the loop then the negative is treated as a very high positive meaning we don't put a limit on "ent_num". It could lead to memory corruption. Fixes: dbb799c3 ('qed: Initialize hardware for new protocols') Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Yuval Mintz <Yuval.Mintz@qlogic.com> Signed-off-by: David S. Miller <davem@davemloft.net>
01e517f1 · Dan Carpenter · David S. Miller · f02ea215 · 01e517f1
Commit 01e517f1 authored Jun 07, 2016 by Dan Carpenter Committed by David S. Miller Jun 08, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

drivers/net/ethernet/qlogic/qed/qed_cxt.c drivers/net/ethernet/qlogic/qed/qed_cxt.c +1 -1

No files found.
--- a/drivers/net/ethernet/qlogic/qed/qed_cxt.c
+++ b/drivers/net/ethernet/qlogic/qed/qed_cxt.c
@@ -850,7 +850,7 @@ static int qed_cxt_src_t2_alloc(struct qed_hwfn *p_hwfn)
 			val = 0;
 		entries[j].next = cpu_to_be64(val);

-		conn_num -= ent_per_page;
+		conn_num -= ent_num;
 	}

 	return 0;