Skip to content

Commit

Permalink
mlx5: Fix potential arithmetic overflow
Browse files Browse the repository at this point in the history 
Fix potential arithmetic overflow by converting byte_count's type
to uint64_t.

Prior to this conversion the temporary calculation of byte_count *
repeat_count was done in 32-bit arithmetic and could overflow, thus
resulting in an incorrect value stored in reglen, which is uint64_t.

The following coverity check revealed it:

Error: OVERFLOW_BEFORE_WIDEN (CWE-190):
rdma-core-28.0/providers/mlx5/qp.c:2137: overflow_before_widen:
Potentially overflowing expression "byte_count * repeat_count" with
type "unsigned int" (32 bits, unsigned) is evaluated using 32-bit
arithmetic, and then used in a context that expects an expression of
type "uint64_t" (64 bits, unsigned).

rdma-core-28.0/providers/mlx5/qp.c:2137: remediation: To avoid overflow,
cast either "byte_count" or "repeat_count" to type "uint64_t".
 # 2135|
 # 2136|       rb->byte_count = htobe32(byte_count);
 # 2137|->     *reglen = byte_count * repeat_count;
 # 2138|
 # 2139|       tmp = align(num_interleaved + 1, 4) - num_interleaved - 1;

Fixes: 75ed7a9 ("mlx5: Introduce mlx5dv_wr_mr_interleaved post send builder")
Signed-off-by: Avihai Horon <avihaih@mellanox.com>
Signed-off-by: Yishai Hadas <yishaih@mellanox.com>
  • Loading branch information
@yishaih
Avihai Horon authored and yishaih committed Jun 21, 2020
1 parent 9fc7152 commit 396e6b6
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion providers/mlx5/qp.c
View file
Expand Up @@ -2107,7 +2107,7 @@ static void umr_strided_seg_create(struct mlx5_qp *qp,
{
struct mlx5_wqe_umr_repeat_block_seg *rb = seg;
struct mlx5_wqe_umr_repeat_ent_seg *eb;
int byte_count = 0;
uint64_t byte_count = 0;
int tmp;
int i;

Expand Down

0 comments on commit 396e6b6

Please sign in to comment.