From: Michael Brown <mcb30@ipxe.org>
Date: Tue, 21 Mar 2017 09:46:17 +0000 (+0200)
Subject: [arbel] Avoid potential integer overflow when calculating memory mappings
X-Git-Tag: v1.20.1~288
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a5affc832e2ae5fbbc88aafa452354fa418578b4;p=thirdparty%2Fipxe.git

[arbel] Avoid potential integer overflow when calculating memory mappings

When the area to be mapped straddles the 2GB boundary, the expression
(high+size) will overflow on the first loop iteration.  Fix by using
(end-size), which cannot underflow.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
---

diff --git a/src/drivers/infiniband/arbel.c b/src/drivers/infiniband/arbel.c
index 9671174c3..ea65d8b8d 100644
--- a/src/drivers/infiniband/arbel.c
+++ b/src/drivers/infiniband/arbel.c
@@ -1994,7 +1994,7 @@ static int arbel_map_vpm ( struct arbel *arbel,
 		if ( ( low - size ) >= start ) {
 			low -= size;
 			pa = low;
-		} else if ( ( high + size ) <= end ) {
+		} else if ( high <= ( end - size ) ) {
 			pa = high;
 			high += size;
 		} else {