Re: [ofa-general] [PATCH] IB: Possible write outside array bounds

Wed, 29 Jul 2009 12:31:16 -0700 

Ensure index stays within smp->return_path[] and ->initial_path[].
A hop_cnt or hop_ptr greater or equal to IB_SMP_MAX_PATH_HOPS is invalid.

Signed-off-by: Roel Kluin <[email protected]>
---
Op 29-07-09 21:22, Hal Rosenstock schreef:
> 
> On Wed, Jul 29, 2009 at 3:15 PM, Roland Dreier <[email protected]
> <mailto:[email protected]>> wrote:
> 
> 
>      > Based on the spec limiting hop pointer to 255 and not 63, I think the
>      > above should just be a check on hop count and not hop pointer:
>      >             if (hop_cnt >= IB_SMP_MAX_PATH_HOPS)
> 
>     Yes, it seems that the current code then properly checks hop_ptr against
>     hop_cnt in all cases.  Do we all agree that the following patch is
>     right?  If so I'll queue it for 2.6.32:

> That looks right to me on the send side. Shouldn't there be the same
> check on the recv side (smi_handle_dr_smp_recv) which was the intent of
> Roel's original patch ?
>  
> -- Hal
>  

I think we also need the `hop_ptr + 1 >= IB_SMP_MAX_PATH_HOPS' test, right?

diff --git a/drivers/infiniband/core/smi.c b/drivers/infiniband/core/smi.c
index 8723675..c623da7 100644
--- a/drivers/infiniband/core/smi.c
+++ b/drivers/infiniband/core/smi.c
@@ -52,6 +52,10 @@ enum smi_action smi_handle_dr_smp_send(struct ib_smp *smp,
        hop_cnt = smp->hop_cnt;
 
        /* See section 14.2.2.2, Vol 1 IB spec */
+       /* C14-6 -- valid hop_cnt values are from 0 to 63 */
+       if (hop_cnt >= IB_SMP_MAX_PATH_HOPS)
+               return IB_SMI_DISCARD;
+
        if (!ib_get_smp_direction(smp)) {
                /* C14-9:1 */
                if (hop_cnt && hop_ptr == 0) {
@@ -132,6 +136,9 @@ enum smi_action smi_handle_dr_smp_recv(struct ib_smp *smp, 
u8 node_type,
        hop_ptr = smp->hop_ptr;
        hop_cnt = smp->hop_cnt;
 
+       if (hop_cnt >= IB_SMP_MAX_PATH_HOPS)
+               return IB_SMI_DISCARD;
+
        /* See section 14.2.2.2, Vol 1 IB spec */
        if (!ib_get_smp_direction(smp)) {
                /* C14-9:1 -- sender should have incremented hop_ptr */
@@ -140,7 +147,8 @@ enum smi_action smi_handle_dr_smp_recv(struct ib_smp *smp, 
u8 node_type,
 
                /* C14-9:2 -- intermediate hop */
                if (hop_ptr && hop_ptr < hop_cnt) {
-                       if (node_type != RDMA_NODE_IB_SWITCH)
+                       if (node_type != RDMA_NODE_IB_SWITCH ||
+                                       hop_ptr + 1 >= IB_SMP_MAX_PATH_HOPS)
                                return IB_SMI_DISCARD;
 
                        smp->return_path[hop_ptr] = port_num;
_______________________________________________
general mailing list
[email protected]
http://lists.openfabrics.org/cgi-bin/mailman/listinfo/general

To unsubscribe, please visit http://openib.org/mailman/listinfo/openib-general

Reply via email to