From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dev-bounces@dpdk.org>
Received: from dpdk.org (dpdk.org [92.243.14.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 31C59A057C;
	Fri, 27 Mar 2020 09:11:18 +0100 (CET)
Received: from [92.243.14.124] (localhost [127.0.0.1])
	by dpdk.org (Postfix) with ESMTP id A3C7C1C0BC;
	Fri, 27 Mar 2020 09:10:52 +0100 (CET)
Received: from proxy.6wind.com (host.76.145.23.62.rev.coltfrance.com
 [62.23.145.76]) by dpdk.org (Postfix) with ESMTP id 4B0B31C02E;
 Fri, 27 Mar 2020 09:10:46 +0100 (CET)
Received: from glumotte.dev.6wind.com. (unknown [10.16.0.195])
 by proxy.6wind.com (Postfix) with ESMTP id 27CCB3B1DF5;
 Fri, 27 Mar 2020 09:10:46 +0100 (CET)
From: Olivier Matz <olivier.matz@6wind.com>
To: wangyunjian@huawei.com
Cc: dev@dpdk.org, jerry.lilijun@huawei.com, olivier.matz@6wind.com,
 stable@dpdk.org, xudingke@huawei.com
Date: Fri, 27 Mar 2020 09:09:55 +0100
Message-Id: <20200327080955.19571-4-olivier.matz@6wind.com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20200327080955.19571-1-olivier.matz@6wind.com>
References: <1584592680-14000-1-git-send-email-wangyunjian@huawei.com>
 <20200327080955.19571-1-olivier.matz@6wind.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Subject: [dpdk-dev] [PATCH v2 3/3] kvargs: fix a heap buffer overflow when
	parsing list
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

From: Yunjian Wang <wangyunjian@huawei.com>

When the input string is "key=[", the ending '\0' is replaced
by a ',', leading to a heap buffer overflow.

Check the content of ctx1 to avoid this problem.

Fixes: cc0579f2339a ("kvargs: support list value")
Cc: stable@dpdk.org

Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
Signed-off-by: Olivier Matz <olivier.matz@6wind.com>
---
 app/test/test_kvargs.c         | 1 +
 lib/librte_kvargs/rte_kvargs.c | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/app/test/test_kvargs.c b/app/test/test_kvargs.c
index f823b771f..2a2dae43a 100644
--- a/app/test/test_kvargs.c
+++ b/app/test/test_kvargs.c
@@ -217,6 +217,7 @@ static int test_invalid_kvargs(void)
 		"foo=1,=2",        /* no key */
 		"foo=[1,2",        /* no closing bracket in value */
 		",=",              /* also test with a smiley */
+		"foo=[",           /* no value in list and no closing bracket */
 		NULL };
 	const char **args;
 	const char *valid_keys_list[] = { "foo", "check", NULL };
diff --git a/lib/librte_kvargs/rte_kvargs.c b/lib/librte_kvargs/rte_kvargs.c
index d39332999..1d815dcd9 100644
--- a/lib/librte_kvargs/rte_kvargs.c
+++ b/lib/librte_kvargs/rte_kvargs.c
@@ -50,6 +50,8 @@ rte_kvargs_tokenize(struct rte_kvargs *kvlist, const char *params)
 			/* Find the end of the list. */
 			while (str[strlen(str) - 1] != ']') {
 				/* Restore the comma erased by strtok_r(). */
+				if (ctx1[0] == '\0')
+					return -1; /* no closing bracket */
 				str[strlen(str)] = ',';
 				/* Parse until next comma. */
 				str = strtok_r(NULL, RTE_KVARGS_PAIRS_DELIM, &ctx1);
-- 
2.25.1