]> xenbits.xensource.com Git - people/julieng/freebsd.git/commitdiff
projects / people / julieng / freebsd.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: b801d31)
NTB: MFV 8c9edf63: Fix zero size or integer overflow in ntb_set_mw
authorcem <cem@FreeBSD.org>
Tue, 20 Oct 2015 19:20:52 +0000 (19:20 +0000)
committercem <cem@FreeBSD.org>
Tue, 20 Oct 2015 19:20:52 +0000 (19:20 +0000)
A plain 32 bit integer will overflow for values over 4GiB.

Change the plain integer size to the appropriate size type in
ntb_set_mw.  Change the type of the size parameter and two local
variables used for size.

Even if there is no overflow, a size of zero is invalid here.

Authored by: Allen Hubbe
Reported by: Juyoung Jung
Obtained from: Linux (Dual BSD/GPL driver)
Sponsored by: EMC / Isilon Storage Division

sys/dev/ntb/if_ntb/if_ntb.c patch | blob | blame | history

diff --git a/sys/dev/ntb/if_ntb/if_ntb.c b/sys/dev/ntb/if_ntb/if_ntb.c
index d2bfb59f0a0c2ecea5d82b22386e92632591253f..23cc9968c93fb18fe03c7dc7a021f2af1f00f11e 100644 (file)
--- a/sys/dev/ntb/if_ntb/if_ntb.c
+++ b/sys/dev/ntb/if_ntb/if_ntb.c
@@ -295,7 +295,7 @@ static void ntb_complete_rxc(void *arg, int pending);
 static void ntb_transport_doorbell_callback(void *data, uint32_t vector);
 static void ntb_transport_event_callback(void *data);
 static void ntb_transport_link_work(void *arg);
-static int ntb_set_mw(struct ntb_transport_ctx *, int num_mw, unsigned size);
+static int ntb_set_mw(struct ntb_transport_ctx *, int num_mw, size_t size);
 static void ntb_free_mw(struct ntb_transport_ctx *nt, int num_mw);
 static int ntb_transport_setup_qp_mw(struct ntb_transport_ctx *nt,
     unsigned int qp_num);
@@ -1266,12 +1266,15 @@ out:
 }
 
 static int
-ntb_set_mw(struct ntb_transport_ctx *nt, int num_mw, unsigned size)
+ntb_set_mw(struct ntb_transport_ctx *nt, int num_mw, size_t size)
 {
        struct ntb_transport_mw *mw = &nt->mw_vec[num_mw];
-       unsigned xlat_size, buff_size;
+       size_t xlat_size, buff_size;
        int rc;
 
+       if (size == 0)
+               return (EINVAL);
+
        xlat_size = roundup(size, mw->xlat_align_size);
        buff_size = roundup(size, mw->xlat_align);
 
@@ -1305,7 +1308,7 @@ ntb_set_mw(struct ntb_transport_ctx *nt, int num_mw, unsigned size)
         */
        if (mw->dma_addr % mw->xlat_align != 0) {
                if_printf(nt->ifp,
-                   "DMA memory 0x%jx not aligned to BAR size 0x%x\n",
+                   "DMA memory 0x%jx not aligned to BAR size 0x%zx\n",
                    (uintmax_t)mw->dma_addr, size);
                ntb_free_mw(nt, num_mw);
                return (ENOMEM);
FreeBSD development repo for Xen ARM