From 6ee62eb24220d8e364728c007f0d6cb8285e544a Mon Sep 17 00:00:00 2001
From: Michael Brown <mcb30@ipxe.org>
Date: Tue, 21 Mar 2017 11:46:17 +0200
Subject: [PATCH] [hermon] Avoid potential integer overflow when calculating
 memory mappings

When the area to be mapped straddles the 2GB boundary, the expression
(high+size) will overflow on the first loop iteration.  Fix by using
(end-size), which cannot underflow.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
---
 src/drivers/infiniband/hermon.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/drivers/infiniband/hermon.c b/src/drivers/infiniband/hermon.c
index 79d60609..2199a9d9 100644
--- a/src/drivers/infiniband/hermon.c
+++ b/src/drivers/infiniband/hermon.c
@@ -2135,7 +2135,7 @@ static int hermon_map_vpm ( struct hermon *hermon,
 		if ( ( low - size ) >= start ) {
 			low -= size;
 			pa = low;
-		} else if ( ( high + size ) <= end ) {
+		} else if ( high <= ( end - size ) ) {
 			pa = high;
 			high += size;
 		} else {