[ofw] [Patch][ipoib][ipoib_NDIS6_CM] Fixing a bug when OID_GEN_NETWORK_LAYER_ADDRESSES contains bad data

Tzachi Dar tzachid at mellanox.co.il
Mon Aug 30 01:31:22 PDT 2010 

Hi Fab,



After some more testing, we have found that the problem happens on windows 2008 R2, and we have a simple repro on our machines.



What you have to do is go to ipoib adapter , and add 2 ip addresses to the same interface.

Here is a dump of the raw data that we get from NDIS 2008 R2:



4: kd> db 0xfffffa80`0c39f240

fffffa80`0c39f240  02 00 00 00 02 00 10 00-02 00 00 00 10 00 02 00  ................

fffffa80`0c39f250  0c 7f 00 00 10 04 0c 7f-00 00 00 00 00 00 00 00  ................

fffffa80`0c39f260  00 00 00 00 00 00 00 00-00 00 00 00 00 00 70 9f  ..............p.

fffffa80`0c39f270  04 00 08 02 45 76 65 ee-b4 05 00 00 b8 0b 00 00  ....Eve.........

fffffa80`0c39f280  00 00 00 00 70 00 00 00-00 00 00 00 00 00 00 00  ....p...........

fffffa80`0c39f290  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................

fffffa80`0c39f2a0  01 00 00 00 00 00 00 00-01 00 00 00 00 00 00 00  ................

fffffa80`0c39f2b0  00 00 00 00 00 00 00 00-0c 00 08 00 00 00 00 00  ................



As you can see, the first struct starts at:



typedef struct _NETWORK_ADDRESS_LIST {

  LONG  AddressCount;

  USHORT  AddressType;

  NETWORK_ADDRESS  Address[1];

} NETWORK_ADDRESS_LIST, *PNETWORK_ADDRESS_LIST;



Which means that AddressCount==2 AddressType =2

The first Addresses is marked with yellow. The second addresses seems like garbage.



Here is a similar Address struct on 2008



fffffa80`0c005ae0  02 00 00 00 02 00 10 00-02 00 00 00 00 00 0f 04  ................

fffffa80`0c005af0  0c 80 00 00 00 00 00 00-00 00 10 00 02 00 00 00  ................

fffffa80`0c005b00  00 00 10 04 0c 80 00 00-00 00 00 00 00 00 00 00  ................

fffffa80`0c005b10  04 00 08 02 4e 74 66 72-00 00 00 00 00 00 00 00  ....Ntfr........

fffffa80`0c005b20  70 11 a4 0c 80 fa ff ff-b0 7b a3 0c 80 fa ff ff  p........{......

fffffa80`0c005b30  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................

fffffa80`0c005b40  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................

fffffa80



The call stack on windows 2008 R2 is:

4: kd> k 30

Child-SP          RetAddr           Call Site

fffff880`021a6fb0 fffff880`0510b0d6 ipoib!__ipoib_set_net_addr+0xc2 [b:\users\tzachid\mlnx_winof-2_1_2\ulp\ipoib_ndis6_cm\kernel\ipoib_driver.cpp @ 3461]

fffff880`021a7080 fffff880`0510c0af ipoib!ipoib_set_info+0xa46 [b:\users\tzachid\mlnx_winof-2_1_2\ulp\ipoib_ndis6_cm\kernel\ipoib_driver.cpp @ 2951]

fffff880`021a7160 fffff880`012fc92c ipoib!ipoib_oid_handler+0xef [b:\users\tzachid\mlnx_winof-2_1_2\ulp\ipoib_ndis6_cm\kernel\ipoib_driver.cpp @ 3105]

fffff880`021a71a0 fffff880`01278a19 NDIS!ndisMDoOidRequest+0x26c

fffff880`021a7250 fffff880`01278629 NDIS!ndisFQueueRequestOnNext+0x389

fffff880`021a72c0 fffff880`02d1411b NDIS!NdisFOidRequest+0xc9

fffff880`021a73a0 fffff880`012fcd0b pacer!PcFilterRequest+0x5b

fffff880`021a73d0 fffff880`012788bd NDIS!ndisFDoOidRequest+0x21b

fffff880`021a74a0 fffff880`01278629 NDIS!ndisFQueueRequestOnNext+0x22d

fffff880`021a7510 fffff880`02d0b625 NDIS!NdisFOidRequest+0xc9

fffff880`021a75f0 fffff880`012fcd0b wfplwf!FilterOidRequest+0x61

fffff880`021a7620 fffff880`0127822f NDIS!ndisFDoOidRequest+0x21b

fffff880`021a76f0 fffff880`0133328e NDIS!ndisQueueRequestOnTop+0x21f

fffff880`021a7780 fffff880`018590ef NDIS!ndisMOidRequest+0xde

fffff880`021a7870 fffff880`01817108 tcpip!FlpNdisRequestUnderReference+0x9f

fffff880`021a79e0 fffff880`0188a54a tcpip!FlpNdisRequest+0x58

fffff880`021a7a20 fffff880`01811a9a tcpip! ?? ::FNODOBFM::`string'+0x8e50

fffff880`021a7aa0 fffff880`0180ee02 tcpip!IppUpdateFlAddressList+0x5a

fffff880`021a7b10 fffff880`018233c5 tcpip!IppNotifyAddressChangeAtPassive+0x3d2

fffff880`021a7c00 fffff880`0120599b tcpip!IppInterfaceDelayedWorker+0x15

fffff880`021a7c30 fffff800`0197a541 NETIO!NetiopIoWorkItemRoutine+0x3b

fffff880`021a7c80 fffff800`0168e161 nt!IopProcessWorkItem+0x3d

fffff880`021a7cb0 fffff800`01924166 nt!ExpWorkerThread+0x111

fffff880`021a7d40 fffff800`0165f486 nt!PspSystemThreadStartup+0x5a

fffff880`021a7d80 00000000`00000000 nt!KxStartSystemThread+0x16





Please let us know if you need any more information on reproducing the issue.



On a more practical approach (assuming there is no fix in the short term) I suggest that on windows 2008 R2 we will not try to parse this structure if it contains more than one element. Please note that this means that ND will not work on such machines (with more than one ip address per interface).



Thanks

Tzachi and xAlex







> -----Original Message-----

> From: ofw-bounces at lists.openfabrics.org [mailto:ofw-

> bounces at lists.openfabrics.org] On Behalf Of Fab Tillier

> Sent: Wednesday, August 25, 2010 7:26 PM

> To: Alex Naslednikov; Hefty, Sean; ofw at lists.openfabrics.org

> Subject: Re: [ofw] [Patch][ipoib][ipoib_NDIS6_CM] Fixing a bug when

> OID_GEN_NETWORK_LAYER_ADDRESSES contains bad data

>

> What are the repro steps for this?

>

> Thanks,

> -Fab

>

> Alex Naslednikov wrote on Tue, 24 Aug 2010 at 23:06:15

>

> > Yes, we got to the same decision - the NETWORK_ADDRESS array

> contained 5

> > 6-bytes chunks instead of 5 14-bytes chunks. But anyway, this bug at

> > NDIS caused BSOD at ipoib (because of memory violation)

> >

> > -----Original Message-----

> > From: Hefty, Sean [mailto:sean.hefty at intel.com]

> > Sent: Monday, August 23, 2010 7:16 PM

> > To: Alex Naslednikov; ofw at lists.openfabrics.org

> > Subject: RE: [ofw] [Patch][ipoib][ipoib_NDIS6_CM] Fixing a bug when

> > OID_GEN_NETWORK_LAYER_ADDRESSES contains bad data

> >

> >> Fixing the bug when NDIS sends OID_GEN_NETWORK_LAYER_ADDRESSES with

> >> the list of new addresses with invalid formatting (happened when

> >> AddressCount

> >> =5)

> >>

> >> NDIS sends NETWORK_ADDRESS_LIST structure, which contains an array

> of

> >> NETWORK_ADDRESS structures of variable size.

> >> The calculation of the next address offset is based on

> AddressLength;

> >> in a case when this field contains wrong data, one can get access

> >> violation error

> >

> > This sounds like a bug in NDIS

> >

> > _______________________________________________

> > ofw mailing list

> > ofw at lists.openfabrics.org

> > http://lists.openfabrics.org/cgi-bin/mailman/listinfo/ofw

> _______________________________________________

> ofw mailing list

> ofw at lists.openfabrics.org

> http://lists.openfabrics.org/cgi-bin/mailman/listinfo/ofw
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openfabrics.org/pipermail/ofw/attachments/20100830/29fa8db3/attachment.html>

More information about the ofw mailing list