Commit bf1d8edb authored by Dan Carpenter's avatar Dan Carpenter Committed by Jason Gunthorpe

RDMA/rtrs: Fix a couple off by one bugs in rtrs_srv_rdma_done()

These > comparisons should be >= to prevent accessing one element beyond
the end of the buffer.

Fixes: 9cb83748 ("RDMA/rtrs: server: main functionality")
Link: https://lore.kernel.org/r/20200519154525.GA66801@mwandaSigned-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Acked-by: default avatarDanil Kipnis <danil.kipnis@cloud.ionos.com>
Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
parent b386cd65
......@@ -1213,8 +1213,8 @@ static void rtrs_srv_rdma_done(struct ib_cq *cq, struct ib_wc *wc)
msg_id = imm_payload >> sess->mem_bits;
off = imm_payload & ((1 << sess->mem_bits) - 1);
if (unlikely(msg_id > srv->queue_depth ||
off > max_chunk_size)) {
if (unlikely(msg_id >= srv->queue_depth ||
off >= max_chunk_size)) {
rtrs_err(s, "Wrong msg_id %u, off %u\n",
msg_id, off);
close_sess(sess);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment