* [PATCH for-next] RDMA/core: Fix storing node_desc
@ 2019-12-23 9:39 Kamal Heib
2020-01-03 23:12 ` Jason Gunthorpe
0 siblings, 1 reply; 3+ messages in thread
From: Kamal Heib @ 2019-12-23 9:39 UTC (permalink / raw)
To: linux-rdma; +Cc: Doug Ledford, Jason Gunthorpe, Kamal Heib
When writing to node_desc sysfs using echo a new line symbol will be
stored at the end of the string, avoid that by dropping the new line
symbol and also make sure to return -EINVAL when the supplied string is
bigger then IB_DEVICE_NODE_DESC_MAX.
Fixes: c5bcbbb9fe00 ("IB: Allow userspace to set node description")
Signed-off-by: Kamal Heib <kamalheib1@gmail.com>
---
drivers/infiniband/core/sysfs.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/drivers/infiniband/core/sysfs.c b/drivers/infiniband/core/sysfs.c
index 087682e6969e..2de5f6710c0b 100644
--- a/drivers/infiniband/core/sysfs.c
+++ b/drivers/infiniband/core/sysfs.c
@@ -1263,12 +1263,21 @@ static ssize_t node_desc_store(struct device *device,
{
struct ib_device *dev = rdma_device_to_ibdev(device);
struct ib_device_modify desc = {};
+ size_t len;
int ret;
if (!dev->ops.modify_device)
return -EOPNOTSUPP;
- memcpy(desc.node_desc, buf, min_t(int, count, IB_DEVICE_NODE_DESC_MAX));
+ if (count > IB_DEVICE_NODE_DESC_MAX)
+ return -EINVAL;
+
+ len = strlen(buf);
+ if (buf[len - 1] == '\n')
+ len--;
+
+ strncpy(desc.node_desc, buf, len);
+ desc.node_desc[len] = 0;
ret = ib_modify_device(dev, IB_DEVICE_MODIFY_NODE_DESC, &desc);
if (ret)
return ret;
--
2.21.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH for-next] RDMA/core: Fix storing node_desc
2019-12-23 9:39 [PATCH for-next] RDMA/core: Fix storing node_desc Kamal Heib
@ 2020-01-03 23:12 ` Jason Gunthorpe
2020-01-12 20:02 ` Kamal Heib
0 siblings, 1 reply; 3+ messages in thread
From: Jason Gunthorpe @ 2020-01-03 23:12 UTC (permalink / raw)
To: Kamal Heib; +Cc: linux-rdma, Doug Ledford
On Mon, Dec 23, 2019 at 11:39:43AM +0200, Kamal Heib wrote:
> When writing to node_desc sysfs using echo a new line symbol will be
> stored at the end of the string, avoid that by dropping the new line
Why do we want to do this? AFAIK technically new line is valid in a
node description.
> symbol and also make sure to return -EINVAL when the supplied string is
> bigger then IB_DEVICE_NODE_DESC_MAX.
This makes sense though
> diff --git a/drivers/infiniband/core/sysfs.c b/drivers/infiniband/core/sysfs.c
> index 087682e6969e..2de5f6710c0b 100644
> +++ b/drivers/infiniband/core/sysfs.c
> @@ -1263,12 +1263,21 @@ static ssize_t node_desc_store(struct device *device,
> {
> struct ib_device *dev = rdma_device_to_ibdev(device);
> struct ib_device_modify desc = {};
> + size_t len;
> int ret;
>
> if (!dev->ops.modify_device)
> return -EOPNOTSUPP;
>
> - memcpy(desc.node_desc, buf, min_t(int, count, IB_DEVICE_NODE_DESC_MAX));
> + if (count > IB_DEVICE_NODE_DESC_MAX)
> + return -EINVAL;
> +
> + len = strlen(buf);
Why strlen? The buf is count bytes long.
> + if (buf[len - 1] == '\n')
> + len--;
And if it is zero bytes this buffer underflows
> + strncpy(desc.node_desc, buf, len);
What was the point of switching away from memcpy?
> + desc.node_desc[len] = 0;
> ret = ib_modify_device(dev, IB_DEVICE_MODIFY_NODE_DESC, &desc);
> if (ret)
> return ret;
Jason
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH for-next] RDMA/core: Fix storing node_desc
2020-01-03 23:12 ` Jason Gunthorpe
@ 2020-01-12 20:02 ` Kamal Heib
0 siblings, 0 replies; 3+ messages in thread
From: Kamal Heib @ 2020-01-12 20:02 UTC (permalink / raw)
To: Jason Gunthorpe; +Cc: linux-rdma, Doug Ledford
On Fri, Jan 03, 2020 at 07:12:12PM -0400, Jason Gunthorpe wrote:
> On Mon, Dec 23, 2019 at 11:39:43AM +0200, Kamal Heib wrote:
> > When writing to node_desc sysfs using echo a new line symbol will be
> > stored at the end of the string, avoid that by dropping the new line
>
> Why do we want to do this? AFAIK technically new line is valid in a
> node description.
>
Self-Nack, please drop this patch, I didn't do a good job here.
Thanks,
Kamal
> > symbol and also make sure to return -EINVAL when the supplied string is
> > bigger then IB_DEVICE_NODE_DESC_MAX.
>
> This makes sense though
>
> > diff --git a/drivers/infiniband/core/sysfs.c b/drivers/infiniband/core/sysfs.c
> > index 087682e6969e..2de5f6710c0b 100644
> > +++ b/drivers/infiniband/core/sysfs.c
> > @@ -1263,12 +1263,21 @@ static ssize_t node_desc_store(struct device *device,
> > {
> > struct ib_device *dev = rdma_device_to_ibdev(device);
> > struct ib_device_modify desc = {};
> > + size_t len;
> > int ret;
> >
> > if (!dev->ops.modify_device)
> > return -EOPNOTSUPP;
> >
> > - memcpy(desc.node_desc, buf, min_t(int, count, IB_DEVICE_NODE_DESC_MAX));
>
> > + if (count > IB_DEVICE_NODE_DESC_MAX)
> > + return -EINVAL;
> > +
> > + len = strlen(buf);
>
> Why strlen? The buf is count bytes long.
>
> > + if (buf[len - 1] == '\n')
> > + len--;
>
> And if it is zero bytes this buffer underflows
>
> > + strncpy(desc.node_desc, buf, len);
>
> What was the point of switching away from memcpy?
>
> > + desc.node_desc[len] = 0;
> > ret = ib_modify_device(dev, IB_DEVICE_MODIFY_NODE_DESC, &desc);
> > if (ret)
> > return ret;
>
> Jason
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-01-12 20:02 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-12-23 9:39 [PATCH for-next] RDMA/core: Fix storing node_desc Kamal Heib
2020-01-03 23:12 ` Jason Gunthorpe
2020-01-12 20:02 ` Kamal Heib
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).