From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gaetan.rivet@6wind.com>
Received: from mail-wm0-f45.google.com (mail-wm0-f45.google.com [74.125.82.45])
 by dpdk.org (Postfix) with ESMTP id DDD4799A6
 for <dev@dpdk.org>; Mon, 31 Jul 2017 12:29:18 +0200 (CEST)
Received: by mail-wm0-f45.google.com with SMTP id m85so165819183wma.1
 for <dev@dpdk.org>; Mon, 31 Jul 2017 03:29:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=6wind-com.20150623.gappssmtp.com; s=20150623;
 h=from:to:cc:subject:date:message-id;
 bh=I9lcGc2lxBkNn5W9MUcN6p+G9BhOgH7KJ1oNySR+Uy0=;
 b=eTa97B0wQX+b+4tePf+QbpFYGgyb+5qWf6hU5dyBPak0uapYbLOTZTJHpkaFTWPa8t
 R9JrEEFdaHi9M069rgGq9y0u7gy03nEqBppZZqDHw89m4hDsTzzYccRQ0Tj1c2zPJ4V5
 L/4tgr7sFLQTJKMCNYXVLq0Rgab6WPoahrLuh0fc9G8q9DwoXjuh+ZVCVWbYde1NaptI
 UDRhCMPvHajmiH5VtfM9zY4/njpFXSACVoGOSjkrs1O2XIaADARYsfIKNRleNinEBFbR
 vc9Kpph2tkHml4AiSme2WBF5xs8u3s2yPzrzLm2n9gPLHGsyBSAguCvJbOeLvvFt4HPS
 3jGQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id;
 bh=I9lcGc2lxBkNn5W9MUcN6p+G9BhOgH7KJ1oNySR+Uy0=;
 b=b5wH0OpRK5xiuQWAY9VQ9SEIAK5Cnuk+AGVKS2ZEdH078wu5rDSWqis7OZoblbnd+Q
 3KHvskTJ1gD6BOA6DTrosR2SCGawjpfmKjQFBUOE5NBrpomn3TiT95I+nLsG8IEyu1se
 K1Nsh1FP6I8DcIFaaxhG+wvqtwrElUfST5+SsifZfc1XjfhpjfsAAqrZ3ce6d/oY5Z3K
 SwhcvAZt+qcuNBVh7ftYSuFVdGydQsivt0KdRbk/VD1gs5NSbXHXC3UepF6CpBS7S7nR
 ps9iK94elFd0Gy4H4F3EMzqNj9QAvFZgO+mre+lesZRdEAyXnQjf1Gtla5ZN8ls5XYG0
 QL3w==
X-Gm-Message-State: AIVw111NfOfZS7kjwQwCp2nPl75T/NLkHd7qaPIXig+yggWiJJXhrhb6
 txLOst40V7jBJZv3Rbc=
X-Received: by 10.28.11.131 with SMTP id 125mr2650533wml.82.1501496958040;
 Mon, 31 Jul 2017 03:29:18 -0700 (PDT)
Received: from bidouze.dev.6wind.com (host.78.145.23.62.rev.coltfrance.com.
 [62.23.145.78])
 by smtp.gmail.com with ESMTPSA id w71sm9687528wmd.6.2017.07.31.03.29.17
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
 Mon, 31 Jul 2017 03:29:17 -0700 (PDT)
From: Gaetan Rivet <gaetan.rivet@6wind.com>
To: dev@dpdk.org
Cc: Gaetan Rivet <gaetan.rivet@6wind.com>,
 Ferruh Yigit <ferruh.yigit@intel.com>
Date: Mon, 31 Jul 2017 12:29:02 +0200
Message-Id: <1757afd2673591a59ebd69cef7b569d344f20e7c.1501496827.git.gaetan.rivet@6wind.com>
X-Mailer: git-send-email 2.1.4
Subject: [dpdk-dev] [PATCH] ethdev: fix invalid length write on dev detach
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <http://dpdk.org/ml/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://dpdk.org/ml/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <http://dpdk.org/ml/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Jul 2017 10:29:19 -0000

The name of a device is copied in a provided buffer within
rte_eth_dev_detach(). The current sizeof is done on a pointer instead of
the intended array usually pointed to.

The name field of an rte_device is not assured however to point an
rte_devargs name field. The almost correct length to base this copy over
is thus RTE_DEV_NAME_MAX_LEN.

Almost correct, because unfortunately this function does not allow the
user to pass down a size parameter for the buffer it is meant to write.
This API should be fixed, it is broken by design.

Fixes: a1e7c17555e8 ("ethdev: use device name from device structure")
Cc: Ferruh Yigit <ferruh.yigit@intel.com>

Signed-off-by: Gaetan Rivet <gaetan.rivet@6wind.com>
---
 lib/librte_ether/rte_ethdev.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/librte_ether/rte_ethdev.c b/lib/librte_ether/rte_ethdev.c
index 805ef63..0597641 100644
--- a/lib/librte_ether/rte_ethdev.c
+++ b/lib/librte_ether/rte_ethdev.c
@@ -436,8 +436,8 @@ rte_eth_dev_detach(uint8_t port_id, char *name)
 	if (rte_eth_dev_is_detachable(port_id))
 		goto err;
 
-	snprintf(name, sizeof(rte_eth_devices[port_id].device->name),
-		 "%s", rte_eth_devices[port_id].device->name);
+	snprintf(name, RTE_DEV_NAME_MAX_LEN, "%s",
+		 rte_eth_devices[port_id].device->name);
 
 	ret = rte_eal_dev_detach(rte_eth_devices[port_id].device);
 	if (ret < 0)
-- 
2.1.4