[Openib-windows] [PATCH v2] Handle RMPP send payload < MAD buffer length

Fab Tillier ftillier at silverstorm.com
Mon Oct 3 16:41:37 PDT 2005


> From: Tillier, Fabian
> Sent: Monday, October 03, 2005 4:12 PM
> 
> Folks,
> 
> I found a bug in sending MADs where the last segment of an RMPP send would try
> to send a full payload's worth of data in the MAD, which could result in
> copying data beyond the end of the source buffer and the corresponding BSOD.
> 
> Here's a patch that corrects this.  It does not clear the remaining bytes of
> the MAD, as I wasn't sure it was needed.  Please take a look and confirm that
> what I'm doing is sane, and I'll check it in.

Here's an updated version that adds a line to clear the unused portion of the
MAD payload.  This is probably being overly cautious, but I didn't want to let a
previous MAD's potentially sensitive information be partially retransmitted.

- Fab

Signed-off-by: Fab Tillier (ftillier at silverstorm.com)

Index: core/al/al_mad.c
===================================================================
--- core/al/al_mad.c    (revision 100)
+++ core/al/al_mad.c    (working copy)
@@ -1681,6 +1681,7 @@
    al_mad_element_t    *p_al_element;
    ib_rmpp_mad_t       *p_rmpp_hdr;
    uint8_t             *p_rmpp_src, *p_rmpp_dst;
+   uintn_t             hdr_len, offset, max_len;
 
    CL_ENTER( AL_DBG_MAD_SVC, g_al_dbg_lvl );
    p_send_wr = &h_send->mad_wr.send_wr;
@@ -1702,28 +1703,32 @@
        p_rmpp_dst = (uint8_t*)(uintn_t)p_al_element->mad_ds.vaddr;
 #endif
        p_rmpp_src = (uint8_t* __ptr64)h_send->p_send_mad->p_mad_buf;
-       p_rmpp_hdr = (ib_rmpp_mad_t* __ptr64)h_send->p_send_mad->p_mad_buf;
+       p_rmpp_hdr = (ib_rmpp_mad_t*)p_rmpp_src;
 
        if( h_send->p_send_mad->p_mad_buf->mgmt_class == IB_MCLASS_SUBN_ADM )
-       {
-           /* Copy the header into the registered send buffer. */
-           cl_memcpy( p_rmpp_dst, p_rmpp_src, IB_SA_MAD_HDR_SIZE );
-           /* Copy this segment's payload into the registered send buffer. */
-           p_rmpp_dst = p_rmpp_dst + IB_SA_MAD_HDR_SIZE;
-           p_rmpp_src = p_rmpp_src + IB_SA_MAD_HDR_SIZE +
-               ( (cl_ntoh32( p_rmpp_hdr->seg_num ) - 1) * IB_SA_DATA_SIZE );
-           cl_memcpy( p_rmpp_dst, p_rmpp_src, IB_SA_DATA_SIZE );
-       } 
+           hdr_len = IB_SA_MAD_HDR_SIZE;
        else
+           hdr_len = MAD_RMPP_HDR_SIZE;
+
+       max_len = MAD_BLOCK_SIZE - hdr_len;
+
+       offset = hdr_len + (max_len * (cl_ntoh32( p_rmpp_hdr->seg_num ) - 1));
+
+       /* Copy the header into the registered send buffer. */
+       cl_memcpy( p_rmpp_dst, p_rmpp_src, hdr_len );
+
+       /* Copy this segment's payload into the registered send buffer. */
+       CL_ASSERT( h_send->p_send_mad->size != offset );
+       if( (h_send->p_send_mad->size - offset) < max_len )
        {
-           /* Copy the header into the registered send buffer. */
-           cl_memcpy( p_rmpp_dst, p_rmpp_src, MAD_RMPP_HDR_SIZE );   
-           /* Copy this segment's payload into the registered send buffer. */
-           p_rmpp_dst = p_rmpp_dst + MAD_RMPP_HDR_SIZE;
-           p_rmpp_src = p_rmpp_src + MAD_RMPP_HDR_SIZE +
-               ( (cl_ntoh32( p_rmpp_hdr->seg_num ) - 1) * MAD_RMPP_DATA_SIZE );
-           cl_memcpy( p_rmpp_dst, p_rmpp_src, MAD_RMPP_DATA_SIZE );
+           max_len = h_send->p_send_mad->size - offset;
+           /* Clear unused payload. */
+           cl_memclr( p_rmpp_dst + hdr_len + max_len,
+               MAD_BLOCK_SIZE - hdr_len - max_len );
        }
+
+       cl_memcpy(
+           p_rmpp_dst + hdr_len, p_rmpp_src + hdr_len + offset, max_len );
    }
 
    p_send_wr->num_ds = 1;




More information about the ofw mailing list