Re: [PATCH v2 rdma-next] RDMA/iwcm: Don't copy past the end of dev_name() string

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Dec 20, 2018 at 02:00:11PM -0800, Steve Wise wrote:
> We now use dev_name(&ib_device->dev) instead of ib_device->name in
> iwpm messages.  The name field in struct device is a const char *,
> where as ib_device->name is a char array of size IB_DEVICE_NAME_MAX,
> and it is pre-initialized to zeros.
> 
> Since iw_cm_map() was using memcpy() to copy in the device name, and
> copying IWPM_DEVNAME_SIZE bytes, it ends up copying past the end of the
> source device name string and copying random bytes.  This results in iwpmd
> failing the REGISTER_PID request from iwcm.  Thus port mapping is broken.
> 
> Validate the device and if names, and use strncpy() to inialize the
> entire message field.
> 
> Fixes: 896de0090a85 ("RDMA/core: Use dev_name instead of ibdev->name")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Steve Wise <swise@xxxxxxxxxxxxxxxxxxxxx>
> ---
> 
> Changes since v1:
> - rebased onto rdma/for-next
> - no need to initialize the iwpm_dev_data struct at declaration; strncpy()
>   pads out zeros for the length of the dst buffer. 
> - validate devname and ifname string lengths
> 
> ---
> 
>  drivers/infiniband/core/iwcm.c | 12 ++++++++----
>  1 file changed, 8 insertions(+), 4 deletions(-)

Applied to for-next

Thanks
Jason



[Index of Archives]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Photo]     [Yosemite News]     [Yosemite Photos]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux