[ofa-general] [PATCH v2] ibutils/ibis: prevent buffer overflows

Fri Oct 10 13:22:11 PDT 2008

Oren,

As discovered by Sasha:

> There are couple of one byte buffer overflows in ibis*_wrap.c* files.
> Guess those files where generated originally, but I didn't find from
> where stuff like obj->log_file[1024] = '\0' is coming. So fising in
> place.
> 
> Signed-off-by: Sasha Khapyorsky <sashak at voltaire.com>

Fixing buffer overflows in the .i files.
Note that one of them is in typemap of char array,
which makes me wonder how this thing even worked...

Please regenerate wrappers after this patch.

Signed-off-by: Yevgeny Kliteynik <kliteyn at dev.mellanox.co.il>
---
 ibis/src/ibis_typemaps.i |    2 +-
 ibis/src/ibsm.i          |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/ibis/src/ibis_typemaps.i b/ibis/src/ibis_typemaps.i
index b9449d2..4855e85 100644
--- a/ibis/src/ibis_typemaps.i
+++ b/ibis/src/ibis_typemaps.i
@@ -157,7 +157,7 @@
 /* handle char arrays as members of a struct */
 %typemap (tcl8, memberin) char [ANY] {
   strncpy($target,$source,$dim0 - 1);
-  $target[$dim0] = '\0';
+  $target[$dim0 - 1] = '\0';
 }

 %typemap(tcl8,out) ib_gid_t* {
diff --git a/ibis/src/ibsm.i b/ibis/src/ibsm.i
index 5979547..0e3d69b 100644
--- a/ibis/src/ibsm.i
+++ b/ibis/src/ibsm.i
@@ -642,7 +642,7 @@ typedef struct _ibsm_vl_arb_table
 }
 %typemap(tcl8,memberin) ibsm_node_desc_str_t[IB_NODE_DESCRIPTION_SIZE] {
   strncpy((char *)$target,(char *)$source,IB_NODE_DESCRIPTION_SIZE - 1);
-  $target[IB_NODE_DESCRIPTION_SIZE] = '\0';
+  $target[IB_NODE_DESCRIPTION_SIZE - 1] = '\0';
 }

 %typemap(tcl8,out) ibsm_node_desc_str_t[ANY] {
-- 
1.5.1.4


