From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id F3129A0583; Thu, 19 Mar 2020 05:38:22 +0100 (CET) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id C68291515; Thu, 19 Mar 2020 05:38:21 +0100 (CET) Received: from huawei.com (szxga06-in.huawei.com [45.249.212.32]) by dpdk.org (Postfix) with ESMTP id C7DBBF90; Thu, 19 Mar 2020 05:38:19 +0100 (CET) Received: from DGGEMS413-HUB.china.huawei.com (unknown [172.30.72.59]) by Forcepoint Email with ESMTP id 2734DD006084D79963B4; Thu, 19 Mar 2020 12:38:18 +0800 (CST) Received: from localhost (10.173.251.152) by DGGEMS413-HUB.china.huawei.com (10.3.19.213) with Microsoft SMTP Server id 14.3.487.0; Thu, 19 Mar 2020 12:38:11 +0800 From: wangyunjian To: CC: , , , Yunjian Wang , Date: Thu, 19 Mar 2020 12:38:00 +0800 Message-ID: <1584592680-14000-1-git-send-email-wangyunjian@huawei.com> X-Mailer: git-send-email 1.9.5.msysgit.1 MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [10.173.251.152] X-CFilter-Loop: Reflected Subject: [dpdk-dev] [PATCH] kvargs: fix a heap-buffer-overflow when detect list X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" From: Yunjian Wang When an input params'value is '[', leading to the 'str' over read or heap-buffer-overflow. So we can check the 'ctx1' length to avoid this problem. Fixes: cc0579f2339a ("kvargs: support list value") Cc: stable@dpdk.org Signed-off-by: Yunjian Wang --- lib/librte_kvargs/rte_kvargs.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/librte_kvargs/rte_kvargs.c b/lib/librte_kvargs/rte_kvargs.c index d39332999..a1144b90b 100644 --- a/lib/librte_kvargs/rte_kvargs.c +++ b/lib/librte_kvargs/rte_kvargs.c @@ -48,7 +48,8 @@ rte_kvargs_tokenize(struct rte_kvargs *kvlist, const char *params) str = kvlist->pairs[i].value; if (str[0] == '[') { /* Find the end of the list. */ - while (str[strlen(str) - 1] != ']') { + while ((str[strlen(str) - 1] != ']') && + (strlen(ctx1) > 0)) { /* Restore the comma erased by strtok_r(). */ str[strlen(str)] = ','; /* Parse until next comma. */ -- 2.19.1