mlx5: Fix integer overflow while resizing CQ

The user can provide very large cqe_size which will cause to integer overflow. Linux commit: 28e9091e3119933c38933cb8fc48d5618eb784c8 Approved by: hselasky (mentor) MFC after: 1 week Sponsored by: Mellanox Technologies
svn path=/head/; revision=341553
2018-12-05 13:40:05 +00:00 · 2018-12-05 13:40:05 +00:00 · 2bf40c3608 · 2020-12-20 02:59:44 +00:00
commit 2bf40c3608
parent 8567696305
1 changed files with 6 additions and 1 deletions
--- a/sys/dev/mlx5/mlx5_ib/mlx5_ib_cq.c
+++ b/sys/dev/mlx5/mlx5_ib/mlx5_ib_cq.c
@ -1124,7 +1124,12 @@ static int resize_user(struct mlx5_ib_dev *dev, struct mlx5_ib_cq *cq,
 	if (ucmd.reserved0 || ucmd.reserved1)
 		return -EINVAL;

-	umem = ib_umem_get(context, ucmd.buf_addr, entries * ucmd.cqe_size,
+	/* check multiplication overflow */
+	if (ucmd.cqe_size && SIZE_MAX / ucmd.cqe_size <= entries - 1)
+		return -EINVAL;
+
+	umem = ib_umem_get(context, ucmd.buf_addr,
+			   (size_t)ucmd.cqe_size * entries,
 			   IB_ACCESS_LOCAL_WRITE, 1);
 	if (IS_ERR(umem)) {
 		err = PTR_ERR(umem);