
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<HTML><HEAD>

<META content="text/html; charset=us-ascii" http-equiv=Content-Type>

<META name=GENERATOR content="MSHTML 8.00.6001.18928"></HEAD>

<BODY>

<DIV dir=ltr align=left><SPAN class=341593521-23082010><FONT color=#0000ff 

size=2 face=Arial>Hello,</FONT></SPAN></DIV>

<DIV dir=ltr align=left><SPAN class=341593521-23082010><FONT color=#0000ff 

size=2 face=Arial>  I think Sean is correct in that this sounds like an 

NDIS problem. That said, NDIS is not going to be fixed soon, so I would agree 

with your patch for now.</FONT></SPAN></DIV>

<DIV dir=ltr align=left><SPAN class=341593521-23082010><FONT color=#0000ff 

size=2 face=Arial>Currently incorporating your patch, will let you know if I can 

trigger the bug? How is it you trigger the bug which the patch 

fixes?</FONT></SPAN></DIV>

<DIV dir=ltr align=left><SPAN class=341593521-23082010><FONT color=#0000ff 

size=2 face=Arial></FONT></SPAN> </DIV>

<DIV dir=ltr align=left><SPAN class=341593521-23082010><FONT color=#0000ff 

size=2 face=Arial>thanks,</FONT></SPAN></DIV>

<DIV dir=ltr align=left><SPAN class=341593521-23082010><FONT color=#0000ff 

size=2 face=Arial></FONT></SPAN> </DIV>

<DIV dir=ltr align=left><SPAN class=341593521-23082010><FONT color=#0000ff 

size=2 face=Arial>stan.</FONT></SPAN></DIV>

<DIV dir=ltr align=left><SPAN class=341593521-23082010><FONT color=#0000ff 

size=2 face=Arial></FONT></SPAN> </DIV>

<DIV dir=ltr align=left><SPAN class=341593521-23082010><FONT color=#0000ff 

size=2 face=Arial>PS: anybody know how to convince outlook not to add 

<tab> chars in the subject line after x characters of subj 

line?</FONT></SPAN></DIV><BR>

<DIV dir=ltr lang=en-us class=OutlookMessageHeader align=left>

<HR tabIndex=-1>

<FONT size=2 face=Tahoma><B>From:</B> ofw-bounces@lists.openfabrics.org 

[mailto:ofw-bounces@lists.openfabrics.org] <B>On Behalf Of </B>Alex 

Naslednikov<BR><B>Sent:</B> Monday, August 23, 2010 6:39 AM<BR><B>To:</B> 

ofw@lists.openfabrics.org<BR><B>Subject:</B> [ofw] 

[Patch][ipoib][ipoib_NDIS6_CM] Fixing a bug when OID_GEN_NETWORK_LAYER_ADDRESSES 

contains bad data<BR></FONT><BR></DIV>

<DIV></DIV>

<DIV><FONT size=2 face=Arial>Fixing the bug when NDIS sends 

OID_GEN_NETWORK_LAYER_ADDRESSES with the <BR>list of new addresses with invalid 

formatting (happened when AddressCount =5)<BR> <BR>NDIS sends 

NETWORK_ADDRESS_LIST structure, which contains an array of NETWORK_ADDRESS 

structures of variable size.<BR>The calculation of the next address offset is 

based on AddressLength; <BR>in a case when this field contains wrong data, one 

can get access violation error</FONT></DIV>

<DIV> </DIV>

<DIV><FONT size=2 face=Arial>Signed-off by: Alexander Naslednikov (xalex at 

mellanox.co.il)</FONT></DIV>

<DIV> </DIV>

<DIV><FONT size=2 face=Arial>Index: 

B:/users/xalex/MLNX_WinOF-2_1_2/ulp/ipoib/kernel/ipoib_driver.c<BR>===================================================================<BR>--- 

B:/users/xalex/MLNX_WinOF-2_1_2/ulp/ipoib/kernel/ipoib_driver.c (revision 

6298)<BR>+++ 

B:/users/xalex/MLNX_WinOF-2_1_2/ulp/ipoib/kernel/ipoib_driver.c (revision 

6299)<BR>@@ -2210,30 +2210,27 @@<BR>    cl_vector_get_ptr( 

&p_adapter->ip_vector, idx );<BR>   p_net_addr_oid = 

(PNETWORK_ADDRESS)p_net_addrs->Address;<BR> <BR>-  for( i = 0; 

i < p_net_addrs->AddressCount; ++i, p_net_addr_oid 

=<BR>-   (PNETWORK_ADDRESS)((uint8_t *)p_net_addr_oid 

+<BR>-   FIELD_OFFSET(NETWORK_ADDRESS, Address) 

+<BR>-   p_net_addr_oid->AddressLength) )<BR>+  for( 

i = 0; i < p_net_addrs->AddressCount; ++i 

)<BR>   {<BR> <BR>-   if( 

p_net_addr_oid->AddressType != NDIS_PROTOCOL_ID_TCP_IP 

)<BR>-   {<BR>-    IPOIB_PRINT( 

TRACE_LEVEL_WARNING, IPOIB_DBG_OID,<BR>-     ("Port %d 

OID_GEN_NETWORK_LAYER_ADDRESSES - Address %d is wrong type of 0x%.4X, 

"<BR>-      "should be 0x%.4X\n", port_num, i, 

p_net_addr_oid->AddressType,<BR>-      NDIS_PROTOCOL_ID_TCP_IP));<BR>-    continue;<BR>-   }<BR>-<BR>+   // 

Here we check that the data stored at 'AddressLength' field is 

valid;<BR>+   // otherwise, it can lead to a memory violation 

(happened when AddressCount was > 1)<BR>    if( 

p_net_addr_oid->AddressLength != 

NETWORK_ADDRESS_LENGTH_IP)<BR>    {<BR>-    IPOIB_PRINT( 

TRACE_LEVEL_WARNING, 

IPOIB_DBG_OID,<BR>+    IPOIB_PRINT(TRACE_LEVEL_ERROR, 

IPOIB_DBG_ERROR,<BR>      ("Port %d 

OID_GEN_NETWORK_LAYER_ADDRESSES - Address %d is wrong size of %d, 

"<BR>       "should be %d\n", port_num, i, 

p_net_addr_oid->AddressLength,<BR>       NETWORK_ADDRESS_LENGTH_IP));<BR>-    continue;<BR>+    ASSERT 

( p_net_addr_oid->AddressLength == NETWORK_ADDRESS_LENGTH_IPX 

);<BR>+    break;<BR>    }<BR>+   <BR>+   p_net_addr_oid 

= (PNETWORK_ADDRESS)((uint8_t *)p_net_addr_oid 

+<BR>+        FIELD_OFFSET(NETWORK_ADDRESS, 

Address) 

+<BR>+        p_net_addr_oid->AddressLength) 

;<BR> <BR>+   ASSERT( p_net_addr_oid->AddressType == 

NDIS_PROTOCOL_ID_TCP_IP );<BR>+<BR>    p_ip_addr = 

(PNETWORK_ADDRESS_IP)p_net_addr_oid->Address;<BR>    if( 

!cl_memcmp( 

&p_ip_addr->in_addr,<BR>     &p_addr_item->address.as_ulong, 

sizeof(ULONG) ) )<BR>@@ -2273,36 +2270,37 @@<BR>  /* Now look for new 

addresses */<BR>  p_net_addr_oid = (NETWORK_ADDRESS 

*)p_net_addrs->Address;<BR>  idx = 0;<BR>- for( i = 0; i < 

p_net_addrs->AddressCount; i++, p_net_addr_oid 

=<BR>-  (PNETWORK_ADDRESS)((uint8_t *)p_net_addr_oid 

+<BR>-  FIELD_OFFSET(NETWORK_ADDRESS, Address) + 

p_net_addr_oid->AddressLength) )<BR>+ <BR>+ for( i = 0; i < 

p_net_addrs->AddressCount; ++i 

)<BR>  {<BR> <BR>-  if( p_net_addr_oid->AddressType 

!= NDIS_PROTOCOL_ID_TCP_IP 

)<BR>-  {<BR>-   IPOIB_PRINT(TRACE_LEVEL_INFORMATION, 

IPOIB_DBG_OID,<BR>-    ("Port %d 

OID_GEN_NETWORK_LAYER_ADDRESSES - Address %d is wrong type of 0x%.4X, 

"<BR>-     "should be 0x%.4X\n", port_num, i, 

p_net_addr_oid->AddressType,<BR>-     NDIS_PROTOCOL_ID_TCP_IP));<BR>-   continue;<BR>-  }<BR>-<BR>+  // 

Here we check that the data stored at 'AddressLength' field is 

valid;<BR>+  // otherwise, it can lead to a memory violation (happened 

when AddressCount was > 1)<BR>   if( 

p_net_addr_oid->AddressLength != 

NETWORK_ADDRESS_LENGTH_IP)<BR>   {<BR>-   IPOIB_PRINT(TRACE_LEVEL_INFORMATION, 

IPOIB_DBG_OID,<BR>+   IPOIB_PRINT(TRACE_LEVEL_ERROR, 

IPOIB_DBG_ERROR,<BR>     ("Port %d 

OID_GEN_NETWORK_LAYER_ADDRESSES - Address %d is wrong size of %d, 

"<BR>      "should be %d\n", port_num, i, 

p_net_addr_oid->AddressLength,<BR>      NETWORK_ADDRESS_LENGTH_IP));<BR>-   continue;<BR>+   ASSERT 

( p_net_addr_oid->AddressLength == NETWORK_ADDRESS_LENGTH_IPX 

);<BR>+   break;<BR>+   <BR>   }<BR>-<BR>+  <BR>+  ASSERT( 

p_net_addr_oid->AddressType == NDIS_PROTOCOL_ID_TCP_IP 

);<BR>+  <BR>+  p_net_addr_oid = (PNETWORK_ADDRESS)((uint8_t 

*)p_net_addr_oid 

+<BR>+       FIELD_OFFSET(NETWORK_ADDRESS, 

Address) 

+<BR>+       p_net_addr_oid->AddressLength) 

;<BR>+  <BR>+  <BR>   p_ip_addr = 

(PNETWORK_ADDRESS_IP)p_net_addr_oid->Address;<BR> <BR>   /* 

Size the vector as needed. */<BR>   if( cl_vector_get_size( 

&p_adapter->ip_vector ) <= idx 

)<BR>    cl_vector_set_size( &p_adapter->ip_vector, 

idx + 1 );<BR> <BR>-  p_addr_item = cl_vector_get_ptr( 

&p_adapter->ip_vector, idx );<BR>+  p_addr_item = 

(net_address_item_t *) cl_vector_get_ptr( &p_adapter->ip_vector, idx 

);<BR>   if( !cl_memcmp( &p_ip_addr->in_addr, 

&p_addr_item->address.as_ulong,<BR>    sizeof(ULONG) 

) )<BR>   {<BR>Index: 

B:/users/xalex/MLNX_WinOF-2_1_2/ulp/ipoib_NDIS6_CM/kernel/ipoib_driver.cpp<BR>===================================================================<BR>--- 

B:/users/xalex/MLNX_WinOF-2_1_2/ulp/ipoib_NDIS6_CM/kernel/ipoib_driver.cpp (revision 

6298)<BR>+++ 

B:/users/xalex/MLNX_WinOF-2_1_2/ulp/ipoib_NDIS6_CM/kernel/ipoib_driver.cpp (revision 

6299)<BR>@@ -3514,30 +3514,27 @@<BR>    cl_vector_get_ptr( 

&p_adapter->ip_vector, idx );<BR>   p_net_addr_oid = 

(PNETWORK_ADDRESS)p_net_addrs->Address;<BR> <BR>-  for( i = 0; 

i < p_net_addrs->AddressCount; ++i, p_net_addr_oid 

=<BR>-   (PNETWORK_ADDRESS)((uint8_t *)p_net_addr_oid 

+<BR>-   FIELD_OFFSET(NETWORK_ADDRESS, Address) 

+<BR>-   p_net_addr_oid->AddressLength) )<BR>+  for( 

i = 0; i < p_net_addrs->AddressCount; ++i 

)<BR>   {<BR> <BR>-   if( 

p_net_addr_oid->AddressType != NDIS_PROTOCOL_ID_TCP_IP 

)<BR>-   {<BR>-    IPOIB_PRINT( 

TRACE_LEVEL_WARNING, IPOIB_DBG_OID,<BR>-     ("Port %d 

OID_GEN_NETWORK_LAYER_ADDRESSES - Address %d is wrong type of 0x%.4X, 

"<BR>-      "should be 0x%.4X\n", port_num, i, 

p_net_addr_oid->AddressType,<BR>-      NDIS_PROTOCOL_ID_TCP_IP));<BR>-    continue;<BR>-   }<BR>-<BR>+   // 

Here we check that the data stored at 'AddressLength' field is 

valid;<BR>+   // otherwise, it can lead to a memory violation 

(happened when AddressCount was > 1)<BR>    if( 

p_net_addr_oid->AddressLength != 

NETWORK_ADDRESS_LENGTH_IP)<BR>    {<BR>-    IPOIB_PRINT( 

TRACE_LEVEL_WARNING, 

IPOIB_DBG_OID,<BR>+    IPOIB_PRINT(TRACE_LEVEL_ERROR, 

IPOIB_DBG_ERROR,<BR>      ("Port %d 

OID_GEN_NETWORK_LAYER_ADDRESSES - Address %d is wrong size of %d, 

"<BR>       "should be %d\n", port_num, i, 

p_net_addr_oid->AddressLength,<BR>       NETWORK_ADDRESS_LENGTH_IP));<BR>-    continue;<BR>+    ASSERT 

( p_net_addr_oid->AddressLength == NETWORK_ADDRESS_LENGTH_IPX 

);<BR>+    break;<BR>    }<BR>+   <BR>+   p_net_addr_oid 

= (PNETWORK_ADDRESS)((uint8_t *)p_net_addr_oid 

+<BR>+        FIELD_OFFSET(NETWORK_ADDRESS, 

Address) 

+<BR>+        p_net_addr_oid->AddressLength) 

;<BR> <BR>+   ASSERT( p_net_addr_oid->AddressType == 

NDIS_PROTOCOL_ID_TCP_IP );<BR>+<BR>    p_ip_addr = 

(PNETWORK_ADDRESS_IP)p_net_addr_oid->Address;<BR>    if( 

!cl_memcmp( 

&p_ip_addr->in_addr,<BR>     &p_addr_item->address.as_ulong, 

sizeof(ULONG) ) )<BR>@@ -3577,29 +3574,30 @@<BR>  /* Now look for new 

addresses */<BR>  p_net_addr_oid = (NETWORK_ADDRESS 

*)p_net_addrs->Address;<BR>  idx = 0;<BR>- for( i = 0; i < 

p_net_addrs->AddressCount; i++, p_net_addr_oid 

=<BR>-  (PNETWORK_ADDRESS)((uint8_t *)p_net_addr_oid 

+<BR>-  FIELD_OFFSET(NETWORK_ADDRESS, Address) + 

p_net_addr_oid->AddressLength) )<BR>+ <BR>+ for( i = 0; i < 

p_net_addrs->AddressCount; ++i 

)<BR>  {<BR> <BR>-  if( p_net_addr_oid->AddressType 

!= NDIS_PROTOCOL_ID_TCP_IP 

)<BR>-  {<BR>-   IPOIB_PRINT(TRACE_LEVEL_INFORMATION, 

IPOIB_DBG_OID,<BR>-    ("Port %d 

OID_GEN_NETWORK_LAYER_ADDRESSES - Address %d is wrong type of 0x%.4X, 

"<BR>-     "should be 0x%.4X\n", port_num, i, 

p_net_addr_oid->AddressType,<BR>-     NDIS_PROTOCOL_ID_TCP_IP));<BR>-   continue;<BR>-  }<BR>-<BR>+  // 

Here we check that the data stored at 'AddressLength' field is 

valid;<BR>+  // otherwise, it can lead to a memory violation (happened 

when AddressCount was > 1)<BR>   if( 

p_net_addr_oid->AddressLength != 

NETWORK_ADDRESS_LENGTH_IP)<BR>   {<BR>-   IPOIB_PRINT(TRACE_LEVEL_INFORMATION, 

IPOIB_DBG_OID,<BR>+   IPOIB_PRINT(TRACE_LEVEL_ERROR, 

IPOIB_DBG_ERROR,<BR>     ("Port %d 

OID_GEN_NETWORK_LAYER_ADDRESSES - Address %d is wrong size of %d, 

"<BR>      "should be %d\n", port_num, i, 

p_net_addr_oid->AddressLength,<BR>      NETWORK_ADDRESS_LENGTH_IP));<BR>-   continue;<BR>+   ASSERT 

( p_net_addr_oid->AddressLength == NETWORK_ADDRESS_LENGTH_IPX 

);<BR>+   break;<BR>+   <BR>   }<BR>-<BR>+  <BR>+  ASSERT( 

p_net_addr_oid->AddressType == NDIS_PROTOCOL_ID_TCP_IP 

);<BR>+  <BR>+  p_net_addr_oid = (PNETWORK_ADDRESS)((uint8_t 

*)p_net_addr_oid 

+<BR>+       FIELD_OFFSET(NETWORK_ADDRESS, 

Address) 

+<BR>+       p_net_addr_oid->AddressLength) 

;<BR>+  <BR>+  <BR>   p_ip_addr = 

(PNETWORK_ADDRESS_IP)p_net_addr_oid->Address;<BR> <BR>   /* 

Size the vector as needed. */<BR></FONT></DIV></BODY></HTML>