IB/umad: make sure write()s have sufficient data

Make sure that userspace passes in enough data when sending a MAD.  We
always copy at least sizeof (struct ib_user_mad) + IB_MGMT_RMPP_HDR
bytes from userspace, so anything less is definitely invalid.  Also,
if the length is less than this limit, it's possible for the second
copy_from_user() to get a negative length and trigger a BUG().

Signed-off-by: Roland Dreier <rolandd@cisco.com>

diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c
index 5ea741f47fc88c4d3b90b0f725b837a61af8ba51..e73f81c223811954e5656f0ed97749b161758cdd 100644 (file)
--- a/drivers/infiniband/core/user_mad.c
+++ b/drivers/infiniband/core/user_mad.c
@@ -312,7 +312,7 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf,
        int ret, length, hdr_len, copy_offset;
        int rmpp_active = 0;
 
-       if (count < sizeof (struct ib_user_mad))
+       if (count < sizeof (struct ib_user_mad) + IB_MGMT_RMPP_HDR)
                return -EINVAL;
 
        length = count - sizeof (struct ib_user_mad);