summaryrefslogtreecommitdiff
path: root/drivers/net/ethernet/qlogic/qed/qed_cxt.c
diff options
context:
space:
mode:
authorDan Carpenter <dan.carpenter@oracle.com>2016-06-07 15:04:16 +0300
committerDavid S. Miller <davem@davemloft.net>2016-06-08 10:33:25 +0300
commit01e517f16e38fc2345d4d555a7764b5f3f35af84 (patch)
tree6b200ac9cb1a5f75e3f9e53052e32d69d5f4191f /drivers/net/ethernet/qlogic/qed/qed_cxt.c
parentf02ea21548171fa3dacc11fbca358a0fc863bb51 (diff)
downloadlinux-01e517f16e38fc2345d4d555a7764b5f3f35af84.tar.xz
qed: potential overflow in qed_cxt_src_t2_alloc()
In the current code "ent_per_page" could be more than "conn_num" making "conn_num" negative after the subtraction. In the next iteration through the loop then the negative is treated as a very high positive meaning we don't put a limit on "ent_num". It could lead to memory corruption. Fixes: dbb799c39717 ('qed: Initialize hardware for new protocols') Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Yuval Mintz <Yuval.Mintz@qlogic.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers/net/ethernet/qlogic/qed/qed_cxt.c')
-rw-r--r--drivers/net/ethernet/qlogic/qed/qed_cxt.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/net/ethernet/qlogic/qed/qed_cxt.c b/drivers/net/ethernet/qlogic/qed/qed_cxt.c
index d85b7ba8cb9a..1c35f376143e 100644
--- a/drivers/net/ethernet/qlogic/qed/qed_cxt.c
+++ b/drivers/net/ethernet/qlogic/qed/qed_cxt.c
@@ -850,7 +850,7 @@ static int qed_cxt_src_t2_alloc(struct qed_hwfn *p_hwfn)
val = 0;
entries[j].next = cpu_to_be64(val);
- conn_num -= ent_per_page;
+ conn_num -= ent_num;
}
return 0;