|
 |
be1f7d |
From 5075b961a29ff9c418e1fefe78432e95dd0a5fcc Mon Sep 17 00:00:00 2001
|
|
|
be1f7d |
From: Michal Schmidt <mschmidt@redhat.com>
|
|
|
be1f7d |
Date: Wed, 1 Feb 2023 22:41:06 +0100
|
|
|
be1f7d |
Subject: [PATCH 1/3] util: fix overflow in remap_node_name()
|
|
|
be1f7d |
|
|
|
be1f7d |
The function remap_node_name() assumes the parameter 'nodedesc' is at
|
|
|
be1f7d |
least IB_SMP_DATA_SIZE + 1 (i.e. 65) bytes long, because it passes it to
|
|
|
be1f7d |
clean_nodedesc() that writes a nul-terminator to it at offset
|
|
|
be1f7d |
IB_SMP_DATA_SIZE. Callers in infiniband-diags/saquery.c pass
|
|
|
be1f7d |
a (struct ib_node_desc_t).description as the argument, which is only
|
|
|
be1f7d |
IB_NODE_DESCRIPTION_SIZE (i.e. 64) bytes long. This is an overflow.
|
|
|
be1f7d |
|
|
|
be1f7d |
An odd thing about remap_node_name() is that it may (but does not
|
|
|
be1f7d |
always) rewrite the nodedesc in-place. Callers do not appear to
|
|
|
be1f7d |
appreciate this behavior. Most of them are various print_* and dump_*
|
|
|
be1f7d |
functions where rewriting the input makes no sense. Some callers make a
|
|
|
be1f7d |
local copy of the nodedesc first, possibly to protect the original.
|
|
|
be1f7d |
One caller (infiniband-diags/saquery.c:print_node_records()) checks if
|
|
|
be1f7d |
either the original description or the remapped one matches a given
|
|
|
be1f7d |
requested_name - so it looks like it prefers the original to be
|
|
|
be1f7d |
not rewritten.
|
|
|
be1f7d |
|
|
|
be1f7d |
Let's make remap_node_name() a bit safer and more convenient to use.
|
|
|
be1f7d |
Allocate a fixed-sized copy first. Then use strncpy to copy from
|
|
|
be1f7d |
'nodedesc', never reading more than IB_SMP_DATA_SIZE (64) bytes.
|
|
|
be1f7d |
Apply clean_nodedesc() on the correctly-sized copy. This solves the
|
|
|
be1f7d |
overflow bug. Also, the in-place rewrite of 'nodedesc' is gone and it
|
|
|
be1f7d |
can become a (const char*).
|
|
|
be1f7d |
|
|
|
be1f7d |
The overflow was found by a static checker (covscan).
|
|
|
be1f7d |
|
|
|
be1f7d |
Fixes: d974c4e398d2 ("Fix max length of node description (ibnetdiscover and smpquery)")
|
|
|
be1f7d |
Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
|
|
|
be1f7d |
---
|
|
|
be1f7d |
util/node_name_map.c | 12 +++++++++---
|
|
|
be1f7d |
util/node_name_map.h | 3 +--
|
|
|
be1f7d |
2 files changed, 10 insertions(+), 5 deletions(-)
|
|
|
be1f7d |
|
|
|
be1f7d |
diff --git a/util/node_name_map.c b/util/node_name_map.c
|
|
|
be1f7d |
index 30b73eb1448e..511cb92ef19c 100644
|
|
|
be1f7d |
--- a/util/node_name_map.c
|
|
|
be1f7d |
+++ b/util/node_name_map.c
|
|
|
be1f7d |
@@ -95,7 +95,7 @@ void close_node_name_map(nn_map_t * map)
|
|
|
be1f7d |
free(map);
|
|
|
be1f7d |
}
|
|
|
be1f7d |
|
|
|
be1f7d |
-char *remap_node_name(nn_map_t * map, uint64_t target_guid, char *nodedesc)
|
|
|
be1f7d |
+char *remap_node_name(nn_map_t * map, uint64_t target_guid, const char *nodedesc)
|
|
|
be1f7d |
{
|
|
|
be1f7d |
char *rc = NULL;
|
|
|
be1f7d |
name_map_item_t *item = NULL;
|
|
|
be1f7d |
@@ -108,8 +108,14 @@ char *remap_node_name(nn_map_t * map, uint64_t target_guid, char *nodedesc)
|
|
|
be1f7d |
rc = strdup(item->name);
|
|
|
be1f7d |
|
|
|
be1f7d |
done:
|
|
|
be1f7d |
- if (rc == NULL)
|
|
|
be1f7d |
- rc = strdup(clean_nodedesc(nodedesc));
|
|
|
be1f7d |
+ if (rc == NULL) {
|
|
|
be1f7d |
+ rc = malloc(IB_SMP_DATA_SIZE + 1);
|
|
|
be1f7d |
+ if (rc) {
|
|
|
be1f7d |
+ strncpy(rc, nodedesc, IB_SMP_DATA_SIZE);
|
|
|
be1f7d |
+ rc[IB_SMP_DATA_SIZE] = '\0';
|
|
|
be1f7d |
+ clean_nodedesc(rc);
|
|
|
be1f7d |
+ }
|
|
|
be1f7d |
+ }
|
|
|
be1f7d |
return (rc);
|
|
|
be1f7d |
}
|
|
|
be1f7d |
|
|
|
be1f7d |
diff --git a/util/node_name_map.h b/util/node_name_map.h
|
|
|
be1f7d |
index e78d274b116e..d83d672782c4 100644
|
|
|
be1f7d |
--- a/util/node_name_map.h
|
|
|
be1f7d |
+++ b/util/node_name_map.h
|
|
|
be1f7d |
@@ -12,8 +12,7 @@ typedef struct nn_map nn_map_t;
|
|
|
be1f7d |
|
|
|
be1f7d |
nn_map_t *open_node_name_map(const char *node_name_map);
|
|
|
be1f7d |
void close_node_name_map(nn_map_t *map);
|
|
|
be1f7d |
-/* NOTE: parameter "nodedesc" may be modified here. */
|
|
|
be1f7d |
-char *remap_node_name(nn_map_t *map, uint64_t target_guid, char *nodedesc);
|
|
|
be1f7d |
+char *remap_node_name(nn_map_t *map, uint64_t target_guid, const char *nodedesc);
|
|
|
be1f7d |
char *clean_nodedesc(char *nodedesc);
|
|
|
be1f7d |
|
|
|
be1f7d |
#endif
|
|
|
be1f7d |
--
|
|
|
be1f7d |
2.39.1
|
|
|
be1f7d |
|