From a5affc832e2ae5fbbc88aafa452354fa418578b4 Mon Sep 17 00:00:00 2001
From: Michael Brown <mcb30@ipxe.org>
Date: Tue, 21 Mar 2017 11:46:17 +0200
Subject: [PATCH] [arbel] Avoid potential integer overflow when calculating
 memory mappings

When the area to be mapped straddles the 2GB boundary, the expression
(high+size) will overflow on the first loop iteration.  Fix by using
(end-size), which cannot underflow.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
---
 src/drivers/infiniband/arbel.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/drivers/infiniband/arbel.c b/src/drivers/infiniband/arbel.c
index 9671174c..ea65d8b8 100644
--- a/src/drivers/infiniband/arbel.c
+++ b/src/drivers/infiniband/arbel.c
@@ -1994,7 +1994,7 @@ static int arbel_map_vpm ( struct arbel *arbel,
 		if ( ( low - size ) >= start ) {
 			low -= size;
 			pa = low;
-		} else if ( ( high + size ) <= end ) {
+		} else if ( high <= ( end - size ) ) {
 			pa = high;
 			high += size;
 		} else {