From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <Allain.Legacy@windriver.com>
Received: from mail.windriver.com (mail.windriver.com [147.11.1.11])
 by dpdk.org (Postfix) with ESMTP id E29D32E8A
 for <dev@dpdk.org>; Thu, 30 Mar 2017 20:54:39 +0200 (CEST)
Received: from ALA-HCA.corp.ad.wrs.com (ala-hca.corp.ad.wrs.com
 [147.11.189.40])
 by mail.windriver.com (8.15.2/8.15.1) with ESMTPS id v2UIsbmq004233
 (version=TLSv1 cipher=AES128-SHA bits=128 verify=FAIL);
 Thu, 30 Mar 2017 11:54:38 -0700 (PDT)
Received: from yow-cgts4-lx.wrs.com (128.224.145.137) by
 ALA-HCA.corp.ad.wrs.com (147.11.189.50) with Microsoft SMTP Server (TLS) id
 14.3.294.0; Thu, 30 Mar 2017 11:54:37 -0700
From: Allain Legacy <allain.legacy@windriver.com>
To: <cristian.dumitrescu@intel.com>, <bruce.richardson@intel.com>
CC: <dev@dpdk.org>, <yuanhan.liu@linux.intel.com>, <thomas.monjalon@6wind.com>
Date: Thu, 30 Mar 2017 14:54:05 -0400
Message-ID: <20170330185407.61220-5-allain.legacy@windriver.com>
X-Mailer: git-send-email 2.12.1
In-Reply-To: <20170330185407.61220-1-allain.legacy@windriver.com>
References: <20170328164431.12475-1-allain.legacy@windriver.com>
 <20170330185407.61220-1-allain.legacy@windriver.com>
MIME-Version: 1.0
Content-Type: text/plain
X-Originating-IP: [128.224.145.137]
Subject: [dpdk-dev] [PATCH v4 4/6] cfgfile: use strnlen to constrain memchr
	search
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <http://dpdk.org/ml/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://dpdk.org/ml/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <http://dpdk.org/ml/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Mar 2017 18:54:40 -0000

The call to memchr() uses the absolute length of the string buffer instead
of the actual length of the string returned by fgets().  This causes the
search to go beyond the '\n' character and find ';' characters in random
garbage on the stack.  This then causes the 'len' variable to be updated
and the subsequent search for the '=' character to potentially find one
beyond the first newline character.

Since this bug relies on ';' and '=' characters appearing in random places
in the 'buffer' variable it is intermittently reproducible at best.

Signed-off-by: Allain Legacy <allain.legacy@windriver.com>
---
 lib/librte_cfgfile/rte_cfgfile.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/librte_cfgfile/rte_cfgfile.c b/lib/librte_cfgfile/rte_cfgfile.c
index 63e34bbb0..e4a3885b7 100644
--- a/lib/librte_cfgfile/rte_cfgfile.c
+++ b/lib/librte_cfgfile/rte_cfgfile.c
@@ -191,7 +191,7 @@ rte_cfgfile_load_with_params(const char *filename, int flags,
 					"Check if line too long\n", lineno);
 			goto error1;
 		}
-		pos = memchr(buffer, params->comment_character, sizeof(buffer));
+		pos = memchr(buffer, params->comment_character, len);
 		if (pos != NULL) {
 			*pos = '\0';
 			len = pos -  buffer;
-- 
2.12.1