From 8b2c7e7a3cb2093bf3257c146c5822437fdf3124 Mon Sep 17 00:00:00 2001 From: Leon Romanovsky Date: Fri, 8 Sep 2017 13:02:26 +0300 Subject: [PATCH] RDAM/netlink: Fix out-of-bound access while checking message validity The netlink message sent with type == 0, which doesn't have any client behind it, caused to the overflow in max_num_ops array. Fix it by declaring zero number of ops for the first client. Fixes: c9901724a2f1 ("RDMA/netlink: Remove netlink clients infrastructure") Signed-off-by: Leon Romanovsky Signed-off-by: Linus Torvalds --- drivers/infiniband/core/netlink.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/infiniband/core/netlink.c b/drivers/infiniband/core/netlink.c index e685148dd3e6..b66b6d06144b 100644 --- a/drivers/infiniband/core/netlink.c +++ b/drivers/infiniband/core/netlink.c @@ -57,7 +57,8 @@ EXPORT_SYMBOL(rdma_nl_chk_listeners); static bool is_nl_msg_valid(unsigned int type, unsigned int op) { - static const unsigned int max_num_ops[RDMA_NL_NUM_CLIENTS - 1] = { + static const unsigned int max_num_ops[RDMA_NL_NUM_CLIENTS] = { + 0, RDMA_NL_RDMA_CM_NUM_OPS, RDMA_NL_IWPM_NUM_OPS, 0, @@ -70,10 +71,10 @@ static bool is_nl_msg_valid(unsigned int type, unsigned int op) */ BUILD_BUG_ON(RDMA_NL_NUM_CLIENTS != 6); - if (type > RDMA_NL_NUM_CLIENTS - 1) + if (type >= RDMA_NL_NUM_CLIENTS) return false; - return (op < max_num_ops[type - 1]) ? true : false; + return (op < max_num_ops[type]) ? true : false; } static bool is_nl_valid(unsigned int type, unsigned int op)