From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 31C59A057C; Fri, 27 Mar 2020 09:11:18 +0100 (CET) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id A3C7C1C0BC; Fri, 27 Mar 2020 09:10:52 +0100 (CET) Received: from proxy.6wind.com (host.76.145.23.62.rev.coltfrance.com [62.23.145.76]) by dpdk.org (Postfix) with ESMTP id 4B0B31C02E; Fri, 27 Mar 2020 09:10:46 +0100 (CET) Received: from glumotte.dev.6wind.com. (unknown [10.16.0.195]) by proxy.6wind.com (Postfix) with ESMTP id 27CCB3B1DF5; Fri, 27 Mar 2020 09:10:46 +0100 (CET) From: Olivier Matz To: wangyunjian@huawei.com Cc: dev@dpdk.org, jerry.lilijun@huawei.com, olivier.matz@6wind.com, stable@dpdk.org, xudingke@huawei.com Date: Fri, 27 Mar 2020 09:09:55 +0100 Message-Id: <20200327080955.19571-4-olivier.matz@6wind.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200327080955.19571-1-olivier.matz@6wind.com> References: <1584592680-14000-1-git-send-email-wangyunjian@huawei.com> <20200327080955.19571-1-olivier.matz@6wind.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: [dpdk-dev] [PATCH v2 3/3] kvargs: fix a heap buffer overflow when parsing list X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" From: Yunjian Wang When the input string is "key=[", the ending '\0' is replaced by a ',', leading to a heap buffer overflow. Check the content of ctx1 to avoid this problem. Fixes: cc0579f2339a ("kvargs: support list value") Cc: stable@dpdk.org Signed-off-by: Yunjian Wang Signed-off-by: Olivier Matz --- app/test/test_kvargs.c | 1 + lib/librte_kvargs/rte_kvargs.c | 2 ++ 2 files changed, 3 insertions(+) diff --git a/app/test/test_kvargs.c b/app/test/test_kvargs.c index f823b771f..2a2dae43a 100644 --- a/app/test/test_kvargs.c +++ b/app/test/test_kvargs.c @@ -217,6 +217,7 @@ static int test_invalid_kvargs(void) "foo=1,=2", /* no key */ "foo=[1,2", /* no closing bracket in value */ ",=", /* also test with a smiley */ + "foo=[", /* no value in list and no closing bracket */ NULL }; const char **args; const char *valid_keys_list[] = { "foo", "check", NULL }; diff --git a/lib/librte_kvargs/rte_kvargs.c b/lib/librte_kvargs/rte_kvargs.c index d39332999..1d815dcd9 100644 --- a/lib/librte_kvargs/rte_kvargs.c +++ b/lib/librte_kvargs/rte_kvargs.c @@ -50,6 +50,8 @@ rte_kvargs_tokenize(struct rte_kvargs *kvlist, const char *params) /* Find the end of the list. */ while (str[strlen(str) - 1] != ']') { /* Restore the comma erased by strtok_r(). */ + if (ctx1[0] == '\0') + return -1; /* no closing bracket */ str[strlen(str)] = ','; /* Parse until next comma. */ str = strtok_r(NULL, RTE_KVARGS_PAIRS_DELIM, &ctx1); -- 2.25.1