From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jarod Wilson Subject: Re: [PATCH libmlx5 3/6] fix buffer overrun copying inline header Date: Wed, 27 Jul 2016 17:26:10 -0400 Message-ID: <20160727212610.GJ36313@redhat.com> References: <1469647047-7544-1-git-send-email-jarod@redhat.com> <1469647047-7544-4-git-send-email-jarod@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Content-Disposition: inline In-Reply-To: <1469647047-7544-4-git-send-email-jarod-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> Sender: linux-rdma-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org To: linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org Cc: Yishai Hadas List-Id: linux-rdma@vger.kernel.org On Wed, Jul 27, 2016 at 03:17:24PM -0400, Jarod Wilson wrote: > At present, the size of eseg->inline_hdr_start is 16 bits, while > MLX5_ETH_L2_INLINE_HEADER_SIZE is 18, so there are attempts made to copy > 18 bits into 16 bits of storage. The mlx5_dbg() statement in > copy_eth_inline_header() suggests that perhaps > MLX5_ETH_L2_INLINE_HEADER_SIZE should be only 16, not 18. So either that > needs to be changed, or the inline_hdr_start array needs to be bumped up > to 3 bytes instead of 2. Ugh. Now I see what's going on. The copy is actually designed to copy 18 _bytes_, not bits, into inline_hdr_start[2] and inline_hdr[16]. Is there a particular reason those two aren't just a single array? -- Jarod Wilson jarod-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org More majordomo info at http://vger.kernel.org/majordomo-info.html