Fix a couple of bugs found by covscan

Signed-off-by: Michal Schmidt <mschmidt@redhat.com>

0001-util-fix-overflow-in-remap_node_name.patch

@@ -0,0 +1,85 @@
+From 5075b961a29ff9c418e1fefe78432e95dd0a5fcc Mon Sep 17 00:00:00 2001
+From: Michal Schmidt <mschmidt@redhat.com>
+Date: Wed, 1 Feb 2023 22:41:06 +0100
+Subject: [PATCH 1/3] util: fix overflow in remap_node_name()
+
+The function remap_node_name() assumes the parameter 'nodedesc' is at
+least IB_SMP_DATA_SIZE + 1 (i.e. 65) bytes long, because it passes it to
+clean_nodedesc() that writes a nul-terminator to it at offset
+IB_SMP_DATA_SIZE. Callers in infiniband-diags/saquery.c pass
+a (struct ib_node_desc_t).description as the argument, which is only
+IB_NODE_DESCRIPTION_SIZE (i.e. 64) bytes long. This is an overflow.
+
+An odd thing about remap_node_name() is that it may (but does not
+always) rewrite the nodedesc in-place. Callers do not appear to
+appreciate this behavior. Most of them are various print_* and dump_*
+functions where rewriting the input makes no sense. Some callers make a
+local copy of the nodedesc first, possibly to protect the original.
+One caller (infiniband-diags/saquery.c:print_node_records()) checks if
+either the original description or the remapped one matches a given
+requested_name - so it looks like it prefers the original to be
+not rewritten.
+
+Let's make remap_node_name() a bit safer and more convenient to use.
+Allocate a fixed-sized copy first. Then use strncpy to copy from
+'nodedesc', never reading more than IB_SMP_DATA_SIZE (64) bytes.
+Apply clean_nodedesc() on the correctly-sized copy. This solves the
+overflow bug. Also, the in-place rewrite of 'nodedesc' is gone and it
+can become a (const char*).
+
+The overflow was found by a static checker (covscan).
+
+Fixes: d974c4e398d2 ("Fix max length of node description (ibnetdiscover and smpquery)")
+Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+---
+ util/node_name_map.c | 12 +++++++++---
+ util/node_name_map.h |  3 +--
+ 2 files changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/util/node_name_map.c b/util/node_name_map.c
+index 30b73eb1448e..511cb92ef19c 100644
+--- a/util/node_name_map.c
++++ b/util/node_name_map.c
+@@ -95,7 +95,7 @@ void close_node_name_map(nn_map_t * map)
+ 	free(map);
+ }
+ 
+-char *remap_node_name(nn_map_t * map, uint64_t target_guid, char *nodedesc)
++char *remap_node_name(nn_map_t * map, uint64_t target_guid, const char *nodedesc)
+ {
+ 	char *rc = NULL;
+ 	name_map_item_t *item = NULL;
+@@ -108,8 +108,14 @@ char *remap_node_name(nn_map_t * map, uint64_t target_guid, char *nodedesc)
+ 		rc = strdup(item->name);
+ 
+ done:
+-	if (rc == NULL)
+-		rc = strdup(clean_nodedesc(nodedesc));
++	if (rc == NULL) {
++		rc = malloc(IB_SMP_DATA_SIZE + 1);
++		if (rc) {
++			strncpy(rc, nodedesc, IB_SMP_DATA_SIZE);
++			rc[IB_SMP_DATA_SIZE] = '\0';
++			clean_nodedesc(rc);
++		}
++	}
+ 	return (rc);
+ }
+ 
+diff --git a/util/node_name_map.h b/util/node_name_map.h
+index e78d274b116e..d83d672782c4 100644
+--- a/util/node_name_map.h
++++ b/util/node_name_map.h
+@@ -12,8 +12,7 @@ typedef struct nn_map nn_map_t;
+ 
+ nn_map_t *open_node_name_map(const char *node_name_map);
+ void close_node_name_map(nn_map_t *map);
+-/* NOTE: parameter "nodedesc" may be modified here. */
+-char *remap_node_name(nn_map_t *map, uint64_t target_guid, char *nodedesc);
++char *remap_node_name(nn_map_t *map, uint64_t target_guid, const char *nodedesc);
+ char *clean_nodedesc(char *nodedesc);
+ 
+ #endif
+-- 
+2.39.1
+

0002-infiniband-diags-drop-unnecessary-nodedesc-local-cop.patch

@@ -0,0 +1,95 @@
+From d5723a0f69577fd3022024ca17c27e273a29695b Mon Sep 17 00:00:00 2001
+From: Michal Schmidt <mschmidt@redhat.com>
+Date: Wed, 1 Feb 2023 22:41:16 +0100
+Subject: [PATCH 2/3] infiniband-diags: drop unnecessary nodedesc local copies
+
+Now that remap_node_name() never rewrites nodedesc in-place, some
+copying can be avoided.
+
+Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+---
+ infiniband-diags/dump_fts.c | 14 +++-----------
+ 1 file changed, 3 insertions(+), 11 deletions(-)
+
+diff --git a/infiniband-diags/dump_fts.c b/infiniband-diags/dump_fts.c
+index ce6bfb9ecc33..acef9efe692d 100644
+--- a/infiniband-diags/dump_fts.c
++++ b/infiniband-diags/dump_fts.c
+@@ -109,7 +109,6 @@ static void dump_multicast_tables(ibnd_node_t *node, unsigned startl,
+ 				  unsigned endl, struct ibmad_port *mad_port)
+ {
+ 	ib_portid_t *portid = &node->path_portid;
+-	char nd[IB_SMP_DATA_SIZE + 1] = { 0 };
+ 	char str[512];
+ 	char *s;
+ 	uint64_t nodeguid;
+@@ -119,7 +118,6 @@ static void dump_multicast_tables(ibnd_node_t *node, unsigned startl,
+ 	char *mapnd = NULL;
+ 	int n = 0;
+ 
+-	memcpy(nd, node->nodedesc, strlen(node->nodedesc));
+ 	nports = node->numports;
+ 	nodeguid = node->guid;
+ 
+@@ -149,7 +147,7 @@ static void dump_multicast_tables(ibnd_node_t *node, unsigned startl,
+ 		endl = IB_MAX_MCAST_LID;
+ 	}
+ 
+-	mapnd = remap_node_name(node_name_map, nodeguid, nd);
++	mapnd = remap_node_name(node_name_map, nodeguid, node->nodedesc);
+ 
+ 	printf("Multicast mlids [0x%x-0x%x] of switch %s guid 0x%016" PRIx64
+ 	       " (%s):\n", startl, endl, portid2str(portid), nodeguid,
+@@ -224,8 +222,6 @@ static int dump_lid(char *str, int str_len, int lid, int valid,
+ 		    ibnd_fabric_t *fabric, int *last_port_lid,
+ 		    int *base_port_lid, uint64_t *portguid)
+ {
+-	char nd[IB_SMP_DATA_SIZE + 1] = { 0 };
+-
+ 	ibnd_port_t *port = NULL;
+ 
+ 	char ntype[50], sguid[30];
+@@ -276,14 +272,12 @@ static int dump_lid(char *str, int str_len, int lid, int valid,
+ 	baselid = port->base_lid;
+ 	lmc = port->lmc;
+ 
+-	memcpy(nd, port->node->nodedesc, strlen(port->node->nodedesc));
+-
+ 	if (lmc > 0) {
+ 		*base_port_lid = baselid;
+ 		*last_port_lid = baselid + (1 << lmc) - 1;
+ 	}
+ 
+-	mapnd = remap_node_name(node_name_map, nodeguid, nd);
++	mapnd = remap_node_name(node_name_map, nodeguid, port->node->nodedesc);
+  
+ 	rc = snprintf(str, str_len, ": (%s portguid %s: '%s')",
+ 		      mad_dump_val(IB_NODE_TYPE_F, ntype, sizeof ntype,
+@@ -302,7 +296,6 @@ static void dump_unicast_tables(ibnd_node_t *node, int startl, int endl,
+ {
+ 	ib_portid_t * portid = &node->path_portid;
+ 	char lft[IB_SMP_DATA_SIZE] = { 0 };
+-	char nd[IB_SMP_DATA_SIZE + 1] = { 0 };
+ 	char str[200];
+ 	uint64_t nodeguid;
+ 	int block, i, e, top;
+@@ -315,7 +308,6 @@ static void dump_unicast_tables(ibnd_node_t *node, int startl, int endl,
+ 	mad_decode_field(node->switchinfo, IB_SW_LINEAR_FDB_TOP_F, &top);
+ 	nodeguid = node->guid;
+ 	nports = node->numports;
+-	memcpy(nd, node->nodedesc, strlen(node->nodedesc));
+ 
+ 	if (!endl || endl > top)
+ 		endl = top;
+@@ -326,7 +318,7 @@ static void dump_unicast_tables(ibnd_node_t *node, int startl, int endl,
+ 		endl = IB_MAX_UCAST_LID;
+ 	}
+ 
+-	mapnd = remap_node_name(node_name_map, nodeguid, nd);
++	mapnd = remap_node_name(node_name_map, nodeguid, node->nodedesc);
+ 
+ 	printf("Unicast lids [0x%x-0x%x] of switch %s guid 0x%016" PRIx64
+ 	       " (%s):\n", startl, endl, portid2str(portid), nodeguid,
+-- 
+2.39.1
+

0003-libibnetdisc-fix-printing-a-possibly-non-NUL-termina.patch

@@ -0,0 +1,38 @@
+From 45fcc7ad41216a93bafb452f7d7a4507d52722cd Mon Sep 17 00:00:00 2001
+From: Michal Schmidt <mschmidt@redhat.com>
+Date: Wed, 1 Feb 2023 23:30:52 +0100
+Subject: [PATCH 3/3] libibnetdisc: fix printing a possibly non-NUL-terminated
+ string
+
+Found by a static check (covscan).
+
+Fixes: d974c4e398d2 ("Fix max length of node description (ibnetdiscover and smpquery)")
+Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+---
+ libibnetdisc/chassis.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libibnetdisc/chassis.c b/libibnetdisc/chassis.c
+index a3ec1d82807c..bc1a8aff8acb 100644
+--- a/libibnetdisc/chassis.c
++++ b/libibnetdisc/chassis.c
+@@ -597,7 +597,7 @@ static int fill_mellanox_chassis_record(ibnd_node_t * node)
+ 	int p = 0;
+ 	ibnd_port_t *port;
+ 
+-	char node_desc[IB_SMP_DATA_SIZE];
++	char node_desc[IB_SMP_DATA_SIZE + 1];
+ 	char *system_name;
+ 	char *system_type;
+ 	char *system_slot_name;
+@@ -617,6 +617,7 @@ static int fill_mellanox_chassis_record(ibnd_node_t * node)
+ 	 */
+ 
+ 	memcpy(node_desc, node->nodedesc, IB_SMP_DATA_SIZE);
++	node_desc[IB_SMP_DATA_SIZE] = '\0';
+ 
+ 	IBND_DEBUG("fill_mellanox_chassis_record: node_desc:%s \n",node_desc);
+ 
+-- 
+2.39.1
+

rdma-core.spec

@@ -1,6 +1,6 @@
 Name: rdma-core
 Version: 44.0
-Release: 1%{?dist}
+Release: 2%{?dist}
 Summary: RDMA core userspace libraries and daemons
 
 # Almost everything is licensed under the OFA dual GPLv2, 2 Clause BSD license
@@ -10,8 +10,12 @@ Summary: RDMA core userspace libraries and daemons
 License: GPLv2 or BSD
 Url: https://github.com/linux-rdma/rdma-core
 Source: https://github.com/linux-rdma/rdma-core/releases/download/v%{version}/%{name}-%{version}.tar.gz
-Patch1: 0001-kernel-boot-Do-not-perform-device-rename-on-OPA-devi.patch
+# 0001-0003: https://github.com/linux-rdma/rdma-core/pull/1308
-Patch2: udev-keep-NAME_KERNEL-as-default-interface-naming-co.patch
+Patch1: 0001-util-fix-overflow-in-remap_node_name.patch
+Patch2: 0002-infiniband-diags-drop-unnecessary-nodedesc-local-cop.patch
+Patch3: 0003-libibnetdisc-fix-printing-a-possibly-non-NUL-termina.patch
+Patch9998: 9998-kernel-boot-Do-not-perform-device-rename-on-OPA-devi.patch
+Patch9999: 9999-udev-keep-NAME_KERNEL-as-default-interface-naming-co.patch
 # Do not build static libs by default.
 %define with_static %{?_with_static: 1} %{?!_with_static: 0}
 
@@ -273,11 +277,14 @@ easy, object-oriented access to IB verbs.
 
 %prep
 %setup -q
-%if 0%{?fedora}
 %patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%if 0%{?fedora}
+%patch9998 -p1
 %endif
 %if 0%{?rhel}
-%patch2 -p1
+%patch9999 -p1
 %endif
 
 %build
@@ -663,6 +670,9 @@ fi
 %endif
 
 %changelog
+* Thu Feb 02 2023 Michal Schmidt <mschmidt@redhat.com> - 44.0-2
+- Fix a couple of bugs found by covscan.
+
 * Tue Jan 31 2023 Michal Schmidt <mschmidt@redhat.com> - 44.0-1
 - Rebase to upstream v44.0.