Please sign in to comment.
core: check for overflow in msg_param_mobj_from_noncontig()
msg_param_mobj_from_noncontig() does not check that buf_ptr + size does not overflow. As a result, num_pages could be computed small, while size could be big. Only num_pages will be mapped/registered in the returned mobj. If the caller does not compare mobj->size with required size, it can end up manipulating memory out of the intended region. Fix the issue by using overflow checking macros. Signed-off-by: Jerome Forissier <email@example.com> Reported-by: Bastien Simondi <firstname.lastname@example.org> [1.2] Reviewed-by: Jens Wiklander <email@example.com> Reviewed-by: Joakim Bech <firstname.lastname@example.org>
- Loading branch information...