aoe: updating aoe driver from erik quanstros 9atom

1  the config string was grabbed Aoehsz too far into the packet due to using the wrong pointer to start.
  2  never accept a response with tag Tmgmt or Tfree.
  3  defend against "malicious" responses; ones with a response Aoehdr.type != request Aoehdr.type. this previously could
 cause the initiator to crash.
  4  vendor commands were improperly filtered out.
This commit is contained in:
cinap_lenrek 2013-05-01 18:50:07 +02:00
parent d4414b3959
commit 0124d865a6
2 changed files with 93 additions and 56 deletions

View file

@ -65,7 +65,14 @@ enum {
AAFext = 1<<6,
};
typedef struct {
typedef struct Aoehdr Aoehdr;
typedef struct Aoeata Aoeata;
typedef struct Aoecfg Aoecfg;
typedef struct Aoemd Aoemd;
typedef struct Aoem Aoem;
typedef struct Aoerr Aoerr;
struct Aoehdr {
uchar dst[Eaddrlen];
uchar src[Eaddrlen];
uchar type[2];
@ -75,43 +82,43 @@ typedef struct {
uchar minor;
uchar cmd;
uchar tag[4];
} Aoehdr;
};
typedef struct {
struct Aoeata {
uchar aflag;
uchar errfeat;
uchar scnt;
uchar cmdstat;
uchar lba[6];
uchar res[2];
} Aoeata;
};
typedef struct {
struct Aoecfg {
uchar bufcnt[2];
uchar fwver[2];
uchar scnt;
uchar verccmd;
uchar cslen[2];
} Aoecfg;
};
typedef struct {
struct Aoemd {
uchar dres;
uchar dcmd;
uchar ea[Eaddrlen];
} Aoemd;
};
typedef struct {
struct Aoem {
uchar mres;
uchar mcmd;
uchar merr;
uchar mcnt;
} Aoem;
};
typedef struct {
typedef struct Aoerr {
uchar rcmd;
uchar nea;
uchar ea0[];
} Aoerr;
};
extern char Echange[];
extern char Enotup[];

View file

@ -1,5 +1,5 @@
/*
* © 2005-10 coraid
* © 2005-13 coraid
* aoe storage initiator
*/
@ -23,7 +23,12 @@
#define uprint(...) snprint(up->genbuf, sizeof up->genbuf, __VA_ARGS__);
enum {
Maxunits = 0xff,
Typebits = 4,
Unitbits = 12,
L3bits = 4,
Maxtype = (1<<Typebits)-1,
Maxunits = (1<<Unitbits)-1,
Maxl3 = (1<<L3bits)-1,
Maxframes = 128,
Maxmtu = 100000,
Ndevlink = 6,
@ -31,11 +36,11 @@ enum {
Nnetlink = 6,
};
#define TYPE(q) ((ulong)(q).path & 0xf)
#define UNIT(q) (((ulong)(q).path>>4) & 0xff)
#define L(q) (((ulong)(q).path>>12) & 0xf)
#define QID(u, t) ((u)<<4 | (t))
#define Q3(l, u, t) ((l)<<8 | QID(u, t))
#define TYPE(q) ((ulong)(q).path & Maxtype)
#define UNIT(q) (((ulong)(q).path>>Typebits) & Maxunits)
#define L(q) (((ulong)(q).path>>Typebits+Unitbits) & Maxl3)
#define QID(u, t) ((u)<<Typebits | (t))
#define Q3(l, u, t) ((l)<<Typebits+Unitbits | QID(u, t))
#define UP(d) ((d)->flag & Dup)
#define Ticks MACHP(0)->ticks
@ -520,7 +525,7 @@ pickea(Devlink *l)
#define Nofail(d, s) (((d)->flag&Dnofail) == Dnofail)
static int
hset(Aoedev *d, Frame *f, Aoehdr *h, int cmd)
hset(Aoedev *d, Frame *f, Aoehdr *h, int cmd, int new)
{
int i;
Devlink *l;
@ -550,7 +555,9 @@ hset(Aoedev *d, Frame *f, Aoehdr *h, int cmd)
h->minor = d->minor;
h->cmd = cmd;
hnputl(h->tag, f->tag = newtag(d));
if(new)
f->tag = newtag(d);
hnputl(h->tag, f->tag);
f->dl = l;
f->nl = l->nl;
f->eaidx = i;
@ -567,7 +574,7 @@ resend(Aoedev *d, Frame *f)
Aoehdr *h;
h = (Aoehdr*)f->hdr;
if(hset(d, f, h, h->cmd) == -1)
if(hset(d, f, h, h->cmd, 0) == -1)
return -1;
a = (Aoeata*)(f->hdr + Aoehsz);
n = f->bcnt;
@ -771,19 +778,25 @@ aoeattach(char *spec)
return c;
}
static Aoedev*
unitseq(ulong unit)
static int
unitseq(Chan *c, uint unit, Dir *dp)
{
int i;
int i, rv;
Qid q;
Aoedev *d;
i = 0;
rv = -1;
rlock(&devs);
for(d = devs.d; d; d = d->next)
if(i++ == unit)
if(i++ == unit){
mkqid(&q, QID(d->unit, Qunitdir), 0, QTDIR);
devdir(c, q, unitname(d), 0, eve, 0555, dp);
rv = 1;
break;
}
runlock(&devs);
return d;
return rv;
}
static Aoedev*
@ -915,11 +928,7 @@ aoegen(Chan *c, char *, Dirtab *, int, int s, Dir *dp)
if(s < Qtopfiles)
return topgen(c, Qtopbase + s, dp);
s -= Qtopfiles;
if((d = unitseq(s)) == 0)
return -1;
mkqid(&q, QID(d->unit, Qunitdir), 0, QTDIR);
devdir(c, q, unitname(d), 0, eve, 0555, dp);
return 1;
return unitseq(c, s, dp);
case Qtopctl:
case Qtoplog:
return topgen(c, TYPE(c->qid), dp);
@ -1031,7 +1040,7 @@ atarw(Aoedev *d, Frame *f)
f->nhdr = Aoehsz + Aoeatasz;
memset(f->hdr, 0, f->nhdr);
h = (Aoehdr*)f->hdr;
if(hset(d, f, h, ACata) == -1){
if(hset(d, f, h, ACata, 1) == -1){
d->inprocess = nil;
return;
}
@ -1267,7 +1276,7 @@ pstat(Aoedev *d, char *db, int len, int off)
int i;
char *state, *s, *p, *e;
s = p = malloc(READSTR);
s = p = smalloc(READSTR);
e = p + READSTR;
state = "down";
@ -1454,7 +1463,7 @@ configwrite(Aoedev *d, void *db, long len)
if(len > sizeof d->config)
error(Etoobig);
srb = srballoc(len);
s = smalloc(len);
s = malloc(len);
memmove(s, db, len);
if(waserror()){
srbfree(srb);
@ -1480,7 +1489,7 @@ configwrite(Aoedev *d, void *db, long len)
f->nhdr = Aoehsz + Aoecfgsz;
memset(f->hdr, 0, f->nhdr);
h = (Aoehdr*)f->hdr;
if(hset(d, f, h, ACconfig) == -1)
if(hset(d, f, h, ACconfig, 1) == -1)
return 0;
ch = (Aoecfg*)(f->hdr + Aoehsz);
f->srb = srb;
@ -1705,7 +1714,7 @@ addnet(char *path, Chan *cc, Chan *dc, Chan *mtu, uchar *ea)
nl->mtu = mtu;
strncpy(nl->path, path, sizeof(nl->path)-1);
nl->path[sizeof(nl->path)-1] = 0;
memmove(nl->ea, ea, sizeof(nl->ea));
memmove(nl->ea, ea, sizeof nl->ea);
poperror();
nl->flag |= Dup;
unlock(&netlinks);
@ -1748,7 +1757,7 @@ newdev(uint major, uint minor, int n)
d = malloc(sizeof *d);
f = malloc(sizeof *f*Maxframes);
if(!d || !f) {
if(d == nil || f == nil) {
free(d);
free(f);
error("aoe device allocation failure");
@ -1828,7 +1837,7 @@ ataident(Aoedev *d)
f->nhdr = Aoehsz + Aoeatasz;
memset(f->hdr, 0, f->nhdr);
h = (Aoehdr*)f->hdr;
if(hset(d, f, h, ACata) == -1)
if(hset(d, f, h, ACata, 1) == -1)
return;
a = (Aoeata*)(f->hdr + Aoehsz);
f->srb = srbkalloc(0, 0);
@ -1911,7 +1920,7 @@ errrsp(Block *b, char *s)
if(n == Tmgmt || n == Tfree)
return;
d = mm2dev(nhgets(h->major), h->minor);
if(d == 0)
if(d == nil)
return;
if(f = getframe(d, n))
frameerror(d, f, s);
@ -1923,7 +1932,7 @@ qcfgrsp(Block *b, Netlink *nl)
int cmd, cslen, blen;
uint n, major;
Aoedev *d;
Aoehdr *h;
Aoehdr *h, *h0;
Aoecfg *ch;
Devlink *l;
Frame *f;
@ -1933,7 +1942,7 @@ qcfgrsp(Block *b, Netlink *nl)
ch = (Aoecfg*)(b->rp + Aoehsz);
major = nhgets(h->major);
n = nhgetl(h->tag);
if(n != Tmgmt){
if(n != Tmgmt && n != Tfree){
d = mm2dev(major, h->minor);
if(d == nil)
return;
@ -1944,6 +1953,13 @@ qcfgrsp(Block *b, Netlink *nl)
eventlog("%æ: unknown response tag %ux\n", d, n);
return;
}
h0 = (Aoehdr*)f->hdr;
cmd = h0->cmd;
if(cmd != ACconfig){
qunlock(d);
eventlog("%æ: malicious server got ACconfig want %d; tag %ux\n", d, cmd, n);
return;
}
cslen = nhgets(ch->cslen);
blen = BLEN(b) - (Aoehsz + Aoecfgsz);
if(cslen < blen && BLEN(b) > 60)
@ -1954,7 +1970,7 @@ qcfgrsp(Block *b, Netlink *nl)
d, n, cslen, blen);
cslen = blen;
}
memmove(f->dp, (uchar*)ch + Aoehsz + Aoecfgsz, cslen);
memmove(f->dp, b->rp + Aoehsz + Aoecfgsz, cslen);
srb = f->srb;
f->dp = nil;
f->srb = nil;
@ -1997,11 +2013,13 @@ qcfgrsp(Block *b, Netlink *nl)
l = newdevlink(d, nl, h); /* add this interface. */
d->fwver = nhgets(ch->fwver);
n = nhgets(ch->cslen);
if(n > sizeof d->config)
n = sizeof d->config;
d->nconfig = n;
memmove(d->config, (uchar*)ch + Aoehsz + Aoecfgsz, n);
cslen = nhgets(ch->cslen);
if(cslen > sizeof d->config)
cslen = sizeof d->config;
if(Aoehsz + Aoecfgsz + cslen > BLEN(b))
cslen = BLEN(b) - (Aoehsz + Aoecfgsz);
d->nconfig = cslen;
memmove(d->config, b->rp + Aoehsz + Aoecfgsz, cslen);
/* manually set mtu may be reset lower if conditions warrant */
if(l){
@ -2028,10 +2046,12 @@ aoeidentify(Aoedev *d, ushort *id)
vlong s;
s = idfeat(d, id);
if(s == -1)
if(s == -1){
eventlog("%æ: idfeat returns -1\n", d);
return -1;
}
if((d->feat&Dlba) == 0){
dprint("%æ: no lba support\n", d);
eventlog("%æ: no lba support\n", d);
return -1;
}
d->flag |= Dup;
@ -2078,10 +2098,10 @@ identify(Aoedev *d, ushort *id)
static void
atarsp(Block *b)
{
uint n;
uint n, cmd;
ushort major;
Aoeata *ahin, *ahout;
Aoehdr *h;
Aoehdr *h, *h0;
Aoedev *d;
Frame *f;
Srb *srb;
@ -2098,11 +2118,20 @@ atarsp(Block *b)
nexterror();
}
n = nhgetl(h->tag);
if(n == Tfree || n == Tmgmt)
goto bail;
f = getframe(d, n);
if(f == nil){
dprint("%æ: unexpected response; tag %ux\n", d, n);
eventlog("%æ: unexpected response; tag %ux\n", d, n);
goto bail;
}
h0 = (Aoehdr*)f->hdr;
cmd = h0->cmd;
if(cmd != ACata){
eventlog("%æ: malicious server got ACata want %d; tag %ux\n", d, cmd, n);
goto bail;
}
rtupdate(f->dl, tsince(f->tag));
ahout = (Aoeata*)(f->hdr + Aoehsz);
srb = f->srb;
@ -2168,7 +2197,7 @@ static void
netrdaoeproc(void *v)
{
int idx;
char name[Maxpath], *s;
char name[Maxpath+1], *s;
Aoehdr *h;
Block *b;
Netlink *nl;
@ -2197,13 +2226,14 @@ netrdaoeproc(void *v)
h = (Aoehdr*)b->rp;
if(h->verflag & AFrsp)
if(s = aoeerror(h)){
eventlog("%s: %s\n", nl->path, s);
eventlog("%s: %d.%d %s\n", nl->path,
h->major[0]<<8 | h->major[1], h->minor, s);
errrsp(b, s);
}else if(h->cmd == ACata)
atarsp(b);
else if(h->cmd == ACconfig)
qcfgrsp(b, nl);
else if((h->cmd & 0xf0) == 0){
else if((h->cmd & 0xf0) != 0xf0){
eventlog("%s: unknown cmd %d\n",
nl->path, h->cmd);
errrsp(b, "unknown command");