<br><br>
<div class="gmail_quote">On Wed, Jul 29, 2009 at 3:34 PM, Roel Kluin <span dir="ltr"><<a href="mailto:roel.kluin@gmail.com">roel.kluin@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<div class="im">Ensure index stays within smp->return_path[] and ->initial_path[].<br>A hop_cnt or hop_ptr greater or equal to IB_SMP_MAX_PATH_HOPS is invalid.<br><br>Signed-off-by: Roel Kluin <<a href="mailto:roel.kluin@gmail.com">roel.kluin@gmail.com</a>><br>
---<br></div>Op 29-07-09 21:22, Hal Rosenstock schreef:<br>
<div class="im">><br>> On Wed, Jul 29, 2009 at 3:15 PM, Roland Dreier <<a href="mailto:rdreier@cisco.com">rdreier@cisco.com</a><br></div>
<div class="im">> <mailto:<a href="mailto:rdreier@cisco.com">rdreier@cisco.com</a>>> wrote:<br>><br>><br>> > Based on the spec limiting hop pointer to 255 and not 63, I think the<br>> > above should just be a check on hop count and not hop pointer:<br>
> > if (hop_cnt >= IB_SMP_MAX_PATH_HOPS)<br>><br>> Yes, it seems that the current code then properly checks hop_ptr against<br>> hop_cnt in all cases. Do we all agree that the following patch is<br>
> right? If so I'll queue it for 2.6.32:<br><br></div>
<div class="im">> That looks right to me on the send side. Shouldn't there be the same<br>> check on the recv side (smi_handle_dr_smp_recv) which was the intent of<br>> Roel's original patch ?<br>><br>
> -- Hal<br>><br><br></div>I think we also need the `hop_ptr + 1 >= IB_SMP_MAX_PATH_HOPS' test, right?</blockquote>
<div> </div>
<div>Where are you referring to add this ? Like in your original patch ?</div>
<div> </div>
<div>-- Hal</div>
<div> </div>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid"><span id=""></span><br>
<div class="im"><br>diff --git a/drivers/infiniband/core/smi.c b/drivers/infiniband/core/smi.c<br></div>index 8723675..c623da7 100644<br>
<div class="im">--- a/drivers/infiniband/core/smi.c<br>+++ b/drivers/infiniband/core/smi.c<br>@@ -52,6 +52,10 @@ enum smi_action smi_handle_dr_smp_send(struct ib_smp *smp,<br> hop_cnt = smp->hop_cnt;<br><br> /* See section 14.2.2.2, Vol 1 IB spec */<br>
+ /* C14-6 -- valid hop_cnt values are from 0 to 63 */<br>+ if (hop_cnt >= IB_SMP_MAX_PATH_HOPS)<br>+ return IB_SMI_DISCARD;<br>+<br> if (!ib_get_smp_direction(smp)) {<br> /* C14-9:1 */<br>
if (hop_cnt && hop_ptr == 0) {<br></div>@@ -132,6 +136,9 @@ enum smi_action smi_handle_dr_smp_recv(struct ib_smp *smp, u8 node_type,<br>
<div class="im"> hop_ptr = smp->hop_ptr;<br></div>
<div class="im"> hop_cnt = smp->hop_cnt;<br><br></div>+ if (hop_cnt >= IB_SMP_MAX_PATH_HOPS)<br>+ return IB_SMI_DISCARD;<br>+<br>
<div class="im"> /* See section 14.2.2.2, Vol 1 IB spec */<br></div>
<div class="im"> if (!ib_get_smp_direction(smp)) {<br></div>
<div class="im"> /* C14-9:1 -- sender should have incremented hop_ptr */<br></div>@@ -140,7 +147,8 @@ enum smi_action smi_handle_dr_smp_recv(struct ib_smp *smp, u8 node_type,<br>
<div class="im"><br> /* C14-9:2 -- intermediate hop */<br> if (hop_ptr && hop_ptr < hop_cnt) {<br>- if (node_type != RDMA_NODE_IB_SWITCH)<br>+ if (node_type != RDMA_NODE_IB_SWITCH ||<br>
</div>+ hop_ptr + 1 >= IB_SMP_MAX_PATH_HOPS)<br> return IB_SMI_DISCARD;<br><br>
<div>
<div></div>
<div class="h5"> smp->return_path[hop_ptr] = port_num;<br></div></div></blockquote></div><br>