From owner-freebsd-net@FreeBSD.ORG Thu Jun 27 21:30:02 2013 Return-Path: Delivered-To: freebsd-net@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 0B00118C for ; Thu, 27 Jun 2013 21:30:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id F14751FDA for ; Thu, 27 Jun 2013 21:30:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id r5RLU1k2016997 for ; Thu, 27 Jun 2013 21:30:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id r5RLU1x9016996; Thu, 27 Jun 2013 21:30:01 GMT (envelope-from gnats) Date: Thu, 27 Jun 2013 21:30:01 GMT Message-Id: <201306272130.r5RLU1x9016996@freefall.freebsd.org> To: freebsd-net@FreeBSD.org Cc: From: John Baldwin Subject: Re: kern/179999: [ofed] [patch] Bug assigning HCA from IB to ETH X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: John Baldwin List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Jun 2013 21:30:02 -0000 The following reply was made to PR kern/179999; it has been noted by GNATS. From: John Baldwin To: bug-followup@freebsd.org, shahark@mellanox.com Cc: Subject: Re: kern/179999: [ofed] [patch] Bug assigning HCA from IB to ETH Date: Thu, 27 Jun 2013 14:10:42 -0400 Thanks, I think the sysfs fix has a few issues though (it writes to buf[] even if the copyin() fails, and it doesn't enforce a bounds check). It does seem that this should probably be using sysctl_handle_string() instead of doing it by hand, but for now I've just adjusted your patch. Can you please test this version? Index: ofed/drivers/net/mlx4/main.c =================================================================== --- ofed/drivers/net/mlx4/main.c (revision 252306) +++ ofed/drivers/net/mlx4/main.c (working copy) @@ -479,11 +479,11 @@ int i; int err = 0; - if (!strcmp(buf, "ib\n")) + if (!strcmp(buf, "ib")) info->tmp_type = MLX4_PORT_TYPE_IB; - else if (!strcmp(buf, "eth\n")) + else if (!strcmp(buf, "eth")) info->tmp_type = MLX4_PORT_TYPE_ETH; - else if (!strcmp(buf, "auto\n")) + else if (!strcmp(buf, "auto")) info->tmp_type = MLX4_PORT_TYPE_AUTO; else { mlx4_err(mdev, "%s is not supported port type\n", buf); Index: ofed/include/linux/sysfs.h =================================================================== --- ofed/include/linux/sysfs.h (revision 252306) +++ ofed/include/linux/sysfs.h (working copy) @@ -104,10 +104,15 @@ error = SYSCTL_OUT(req, buf, len); if (error || !req->newptr || ops->store == NULL) goto out; - error = SYSCTL_IN(req, buf, PAGE_SIZE); + len = req->newlen - req->newidx; + if (len >= PAGE_SIZE) + error = EINVAL; + else + error = SYSCTL_IN(req, buf, len); if (error) goto out; - len = ops->store(kobj, attr, buf, req->newlen); + ((char *)buf)[len] = '\0'; + len = ops->store(kobj, attr, buf, len); if (len < 0) error = -len; out: -- John Baldwin