Commit bf1d8edb authored by Dan Carpenter's avatar Dan Carpenter Committed by Jason Gunthorpe
Browse files

RDMA/rtrs: Fix a couple off by one bugs in rtrs_srv_rdma_done() 

These > comparisons should be >= to prevent accessing one element beyond
the end of the buffer.

Fixes: 9cb83748 ("RDMA/rtrs: server: main functionality")
Link: https://lore.kernel.org/r/20200519154525.GA66801@mwanda


Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Acked-by: default avatarDanil Kipnis <danil.kipnis@cloud.ionos.com>
Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
parent b386cd65

drivers/infiniband/ulp/rtrs/rtrs-srv.c

+2 −2
Original line number Diff line number Diff line
@@ -1213,8 +1213,8 @@ static void rtrs_srv_rdma_done(struct ib_cq *cq, struct ib_wc *wc) 


			msg_id = imm_payload >> sess->mem_bits;

			off = imm_payload & ((1 << sess->mem_bits) - 1);

			if (unlikely(msg_id > srv->queue_depth ||

				     off > max_chunk_size)) {

			if (unlikely(msg_id >= srv->queue_depth ||

				     off >= max_chunk_size)) {

				rtrs_err(s, "Wrong msg_id %u, off %u\n",

					  msg_id, off);

				close_sess(sess);