ibacm: Copy correct number of address bytes before calling provider

Hakon-Bugge · aron-silverton · commit 18c3546cbafd · 2018-12-20T21:21:00.000-06:00
In acm_ep_insert_addr() an attempt to zero out the tmp address buffer is performed. But the subsequent memcpy(), which uses the supplied addr_len as argument, copies the whole shebang. This implies that the provider is called with an address with arbitrary data padded. This leads to a false mis-compare in the default provider's binary tree lookup. Here is the stack trace and dump of the address buffer from gdb (edited for better brevity): (gdb) where #0 acmp_compare_dest (dest1=0x18c46a8, dest2=0x18c5d70) at prov/acmp/src/acmp.c:289 linux-rdma#1 tfind () from /lib64/libc.so.6 linux-rdma#2 acmp_get_dest () at prov/acmp/src/acmp.c:336 linux-rdma#3 acmp_acquire_dest () at prov/acmp/src/acmp.c:379 linux-rdma#4 acmp_add_addr () at prov/acmp/src/acmp.c:2385 linux-rdma#5 acm_ep_insert_addr (..., addr_len=addr_len@entry=64, ...) at src/acm.c:2044 linux-rdma#6 acm_ep_insert_addr (..., addr_len=64, ...) at src/acm.c:1325 linux-rdma#7 acm_add_ep_ip (ip_str=0x7ffeeda298e0 "192.168.200.200", ...) at src/acm.c:1326 linux-rdma#8 acm_ipnl_handler () at src/acm.c:1453 linux-rdma#9 acm_server () at src/acm.c:1884 linux-rdma#10 main () at src/acm.c:3245 (gdb) x/20u dest1 0x18c46a8: 192 168 200 200 155 127 0 0 0x18c46b0: 95 184 77 105 155 127 0 0 0x18c46b8: 0 0 64 49 (gdb) x/20u dest2 0x18c5d70: 192 168 200 200 0 0 0 0 0x18c5d78: 0 0 0 0 0 0 0 0 0x18c5d80: 0 0 0 0 The fix is to use the real length of the address in the memcpy() in acm_ep_insert_addr(). This is derived from the addr_type. Hence, we can re-factor and remove the addr_len from the call stack. Signed-off-by: Håkon Bugge <haakon.bugge@oracle.com> Reviewed-by: Mark Haywood <mark.haywood@oracle.com> Orabug: 29037270 (cherry picked from commit c73f5d7) cherry-pick-repo=linux-rdma/rdma-core.git unmodified-from-upstream: c73f5d7 Signed-off-by: Mark Haywood <mark.haywood@oracle.com> Signed-off-by: Aron Silverton <aron.silverton@oracle.com>
diff --git a/ibacm/src/acm.c b/ibacm/src/acm.c
@@ -197,7 +197,7 @@ static struct acmc_device *
 acm_get_device_from_gid(union ibv_gid *sgid, uint8_t *port);
 static struct acmc_ep *acm_find_ep(struct acmc_port *port, uint16_t pkey);
 static int acm_ep_insert_addr(struct acmc_ep *ep, const char *name, uint8_t *addr,
-			      size_t addr_len, uint8_t addr_type);
+			      uint8_t addr_type);
 static void acm_event_handler(struct acmc_device *dev);
 static int acm_nl_send(int sock, struct acm_msg *msg);
 
@@ -1326,7 +1326,7 @@ static void acm_add_ep_ip(char *ifname, struct acm_ep_addr_data *data, char *ip_
 	ep = acm_find_ep(&dev->port[port_num - 1], pkey);
 	if (ep) {
 		if (acm_ep_insert_addr(ep, ip_str, data->info.addr,
-				       sizeof data->info.addr, data->type))
+				       data->type))
 			acm_log(0, "Failed to add '%s' to EP\n", ip_str);
 	} else {
 		acm_log(0, "Failed to add '%s' no EP for pkey\n", ip_str);
@@ -1370,7 +1370,7 @@ static int acm_ipnl_create(void)
 }
 
 static void acm_ip_iter_cb(char *ifname, union ibv_gid *gid, uint16_t pkey,
-		uint8_t addr_type, uint8_t *addr, size_t addr_len,
+		uint8_t addr_type, uint8_t *addr,
 		char *ip_str, void *ctx)
 {
 	int ret = EINVAL;
@@ -1383,7 +1383,7 @@ static void acm_ip_iter_cb(char *ifname, union ibv_gid *gid, uint16_t pkey,
 	if (dev) {
 		ep = acm_find_ep(&dev->port[port_num - 1], pkey);
 		if (ep)
-			ret = acm_ep_insert_addr(ep, ip_str, addr, addr_len, addr_type);
+			ret = acm_ep_insert_addr(ep, ip_str, addr, addr_type);
 	}
 
 	if (ret) {
@@ -2009,16 +2009,13 @@ static FILE *acm_open_addr_file(void)
 
 static int
 acm_ep_insert_addr(struct acmc_ep *ep, const char *name, uint8_t *addr,
-		   size_t addr_len, uint8_t addr_type)
+		   uint8_t addr_type)
 {
 	int i, ret = -1;
 	uint8_t tmp[ACM_MAX_ADDRESS];
 
-	if (addr_len > ACM_MAX_ADDRESS)
-		return EINVAL;
-
 	memset(tmp, 0, sizeof tmp);
-	memcpy(tmp, addr, addr_len);
+	memcpy(tmp, addr, acm_addr_len(addr_type));
 
 	if (!acm_addr_lookup(&ep->endpoint, addr, addr_type)) {
 		for (i = 0; (i < MAX_EP_ADDR) &&
@@ -2079,7 +2076,7 @@ acm_get_device_from_gid(union ibv_gid *sgid, uint8_t *port)
 }
 
 static void acm_ep_ip_iter_cb(char *ifname, union ibv_gid *gid, uint16_t pkey,
-		uint8_t addr_type, uint8_t *addr, size_t addr_len,
+		uint8_t addr_type, uint8_t *addr,
 		char *ip_str, void *ctx)
 {
 	uint8_t port_num;
@@ -2091,7 +2088,7 @@ static void acm_ep_ip_iter_cb(char *ifname, union ibv_gid *gid, uint16_t pkey,
 	    && ep->port->port.port_num == port_num &&
 		/* pkey retrieved from ipoib has always full mmbr bit set */
 		(ep->endpoint.pkey | IB_PKEY_FULL_MEMBER) == pkey) {
-		if (!acm_ep_insert_addr(ep, ip_str, addr, addr_len, addr_type)) {
+		if (!acm_ep_insert_addr(ep, ip_str, addr, addr_type)) {
 			acm_log(0, "Added %s %s %d 0x%x from %s\n", ip_str,
 				dev->device.verbs->device->name, port_num, pkey,
 				ifname);
@@ -2113,7 +2110,6 @@ static int acm_assign_ep_names(struct acmc_ep *ep)
 	uint16_t pkey;
 	uint8_t addr[ACM_MAX_ADDRESS], type;
 	int port;
-	size_t addr_len;
 
 	dev_name = ep->port->dev->device.verbs->device->name;
 	acm_log(1, "device %s, port %d, pkey 0x%x\n",
@@ -2140,18 +2136,15 @@ static int acm_assign_ep_names(struct acmc_ep *ep)
 				continue;
 			}
 			type = ACM_ADDRESS_IP;
-			addr_len = 4;
 		} else if (inet_pton(AF_INET6, name, addr) > 0) {
 			if (!support_ips_in_addr_cfg) {
 				acm_log(0, "ERROR - IP's are not configured to be read from ibacm_addr.cfg\n");
 				continue;
 			}
 			type = ACM_ADDRESS_IP6;
-			addr_len = 16;
 		} else {
 			type = ACM_ADDRESS_NAME;
-			addr_len = strlen(name);
-			memcpy(addr, name, addr_len);
+			memcpy(addr, name, strlen(name));
 		}
 
 		if (strcasecmp(pkey_str, "default")) {
@@ -2167,7 +2160,7 @@ static int acm_assign_ep_names(struct acmc_ep *ep)
 		    (ep->port->port.port_num == (uint8_t) port) &&
 		    (ep->endpoint.pkey == pkey)) {
 			acm_log(1, "assigning %s\n", name);
-			if (acm_ep_insert_addr(ep, name, addr, addr_len, type)) {
+			if (acm_ep_insert_addr(ep, name, addr, type)) {
 				acm_log(1, "maximum number of names assigned to EP\n");
 				break;
 			}
diff --git a/ibacm/src/acm_util.c b/ibacm/src/acm_util.c
@@ -133,7 +133,6 @@ int acm_if_iter_sys(acm_if_iter_cb cb, void *ctx)
 	union ibv_gid sgid;
 	uint8_t addr_type;
 	uint8_t addr[ACM_MAX_ADDRESS];
-	size_t addr_len;
 	char *alias_sep;
 
 	s = socket(family, SOCK_DGRAM, 0);
@@ -180,7 +179,6 @@ int acm_if_iter_sys(acm_if_iter_cb cb, void *ctx)
 			addr_type = ACM_ADDRESS_IP;
 			memcpy(&addr, &((struct sockaddr_in *) &ifr[i].ifr_addr)->sin_addr,
 				sizeof addr);
-			addr_len = 4;
 			inet_ntop(ifr[i].ifr_addr.sa_family,
 				&((struct sockaddr_in *) &ifr[i].ifr_addr)->sin_addr,
 				ip_str, sizeof ip_str);
@@ -189,7 +187,6 @@ int acm_if_iter_sys(acm_if_iter_cb cb, void *ctx)
 			addr_type = ACM_ADDRESS_IP6;
 			memcpy(&addr, &((struct sockaddr_in6 *) &ifr[i].ifr_addr)->sin6_addr,
 				sizeof addr);
-			addr_len = ACM_MAX_ADDRESS;
 			inet_ntop(ifr[i].ifr_addr.sa_family,
 				&((struct sockaddr_in6 *) &ifr[i].ifr_addr)->sin6_addr,
 				ip_str, sizeof ip_str);
@@ -215,7 +212,7 @@ int acm_if_iter_sys(acm_if_iter_cb cb, void *ctx)
 		if (ret)
 			continue;
 
-		cb(ifr[i].ifr_name, &sgid, pkey, addr_type, addr, addr_len, ip_str, ctx);
+		cb(ifr[i].ifr_name, &sgid, pkey, addr_type, addr, ip_str, ctx);
 	}
 	ret = 0;
 
diff --git a/ibacm/src/acm_util.h b/ibacm/src/acm_util.h
@@ -49,7 +49,7 @@ int acm_if_get_pkey(char *ifname, uint16_t *pkey);
 int acm_if_get_sgid(char *ifname, union ibv_gid *sgid);
 
 typedef void (*acm_if_iter_cb)(char *ifname, union ibv_gid *gid, uint16_t pkey,
-				uint8_t addr_type, uint8_t *addr, size_t addr_len,
+				uint8_t addr_type, uint8_t *addr,
 				char *ip_str, void *ctx);
 int acm_if_iter_sys(acm_if_iter_cb cb, void *ctx);
 
diff --git a/oracle/rdma-core.spec b/oracle/rdma-core.spec
@@ -606,6 +606,18 @@ rm -f %{buildroot}/%{_sbindir}/srp_daemon.sh
 - libibverbs: Fix compiler warnings in examples/frc_pingpong.c (Mark Haywood) [Orabug: 28769907]
 - librdmacm: Fix compiler warnings in librdmacm/cma.c (Mark Haywood) [Orabug: 28794664]
 - libibverbs: Fix compiler warnings in examples/shpd_pingpong.c (Mark Haywood) [Orabug: 28802228]
+- ibacm: Log using RCF3339 timestamps (Matt Ezell) [Orabug: 29037074]
+- ibacm: remove endpoint IP address from provider when address deleted (Mark Haywood) [Orabug: 28845883]
+- ibacm: Check return value when deleting a cache entry (Håkon Bugge) [Orabug: 29037101]
+- ibacm: Flush cache in provider when local address is removed (Håkon Bugge) [Orabug: 29037124]
+- ibacm: Remove trailing blanks (Håkon Bugge) [Orabug: 29037144]
+- ibacm: Fix proper return value from ib_acme (Håkon Bugge) [Orabug: 29037153]
+- ibacm: Handle rereg event coming before link active event (Håkon Bugge) [Orabug: 29037189]
+- ibacm: Use helper functions and existing defines to avoid literal use (Håkon Bugge) [Orabug: 29026611]
+- ibacm: Unable to assign EP name for limited pkey (Håkon Bugge) [Orabug: 29037216]
+- ibacm: Fix improper refcnt (Håkon Bugge) [Orabug: 29037237]
+- ibacm: Fix incorrect length used in address comparisons (Håkon Bugge) [Orabug: 29037253]
+- ibacm: Copy correct number of address bytes before calling provider (Håkon Bugge) [Orabug: 29037270]
 
 * Fri Nov 09 2018 Aron Silverton <aron.silverton@oracle.com> - 5:17.1-1.0.6
 - oracle/spec: Change "vos" to "ora" and update summaries and descriptions [Orabug: 29128747]
