IB/mad: Check hop count field in directed route MAD to avoid array overflow

The hop count field in a directed route MAD is only allowed to be in the
range 0 to 63 (by spec).  Check that this really is the case to avoid
accessing outside the bounds of the hop array.

Reported-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: Roland Dreier <rolandd@cisco.com>

diff --git a/drivers/infiniband/core/smi.c b/drivers/infiniband/core/smi.c
index 8723675..5855e44 100644 (file)
--- a/drivers/infiniband/core/smi.c
+++ b/drivers/infiniband/core/smi.c
@@ -52,6 +52,10 @@ enum smi_action smi_handle_dr_smp_send(struct ib_smp *smp,
        hop_cnt = smp->hop_cnt;
 
        /* See section 14.2.2.2, Vol 1 IB spec */
+       /* C14-6 -- valid hop_cnt values are from 0 to 63 */
+       if (hop_cnt >= IB_SMP_MAX_PATH_HOPS)
+               return IB_SMI_DISCARD;
+
        if (!ib_get_smp_direction(smp)) {
                /* C14-9:1 */
                if (hop_cnt && hop_ptr == 0) {
@@ -133,6 +137,10 @@ enum smi_action smi_handle_dr_smp_recv(struct ib_smp *smp, u8 node_type,
        hop_cnt = smp->hop_cnt;
 
        /* See section 14.2.2.2, Vol 1 IB spec */
+       /* C14-6 -- valid hop_cnt values are from 0 to 63 */
+       if (hop_cnt >= IB_SMP_MAX_PATH_HOPS)
+               return IB_SMI_DISCARD;
+
        if (!ib_get_smp_direction(smp)) {
                /* C14-9:1 -- sender should have incremented hop_ptr */
                if (hop_cnt && hop_ptr == 0)