Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
[qib7322] Validate payload length
There is no way for the hardware to give us an invalid length in the
LRH, since it must have parsed this length field in order to perform
header splitting.  However, this is difficult to prove conclusively.

Add an unnecessary length check to explicitly reject any packets
larger than the posted receive I/O buffer.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
  • Loading branch information
mcb30 committed Mar 30, 2016
1 parent c9af896 commit 597521e
Showing 1 changed file with 10 additions and 3 deletions.
13 changes: 10 additions & 3 deletions src/drivers/infiniband/qib7322.c
Expand Up @@ -1507,8 +1507,15 @@ static void qib7322_complete_recv ( struct ib_device *ibdev,
/* Completing the eager buffer described in
* this header entry.
*/
iob_put ( iobuf, payload_len );
rc = ( err ? -EIO : ( useegrbfr ? 0 : -ECANCELED ) );
if ( payload_len <= iob_tailroom ( iobuf ) ) {
iob_put ( iobuf, payload_len );
rc = ( err ?
-EIO : ( useegrbfr ? 0 : -ECANCELED ) );
} else {
DBGC ( qib7322, "QIB7322 %p bad payload len "
"%zd\n", qib7322, payload_len );
rc = -EPROTO;
}
/* Redirect to target QP if necessary */
if ( qp != intended_qp ) {
DBGC2 ( qib7322, "QIB7322 %p redirecting QPN "
Expand All @@ -1519,7 +1526,7 @@ static void qib7322_complete_recv ( struct ib_device *ibdev,
intended_qp->recv.fill++;
}
ib_complete_recv ( ibdev, intended_qp, &dest, &source,
iobuf, rc);
iobuf, rc );
} else {
/* Completing on a skipped-over eager buffer */
ib_complete_recv ( ibdev, qp, &dest, &source, iobuf,
Expand Down

0 comments on commit 597521e

Please sign in to comment.