[PATCH] event/octeontx: resolve possible integer overflow

[PATCH] event/octeontx: resolve possible integer overflow

[Hanumanth Pothula]

The last argument passed to ssovf_parsekv() is an
unsigned char*, but it is accessed as an integer.
This can lead to an integer overflow.

Hence, make ensure the argument is accessed as a char
and for better error handling use strtol instead of atoi.

Signed-off-by: Hanumanth Pothula <hpothula@marvell.com>
---
 drivers/event/octeontx/ssovf_evdev.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/drivers/event/octeontx/ssovf_evdev.c b/drivers/event/octeontx/ssovf_evdev.c
index 3a933b1db7..ccb447d33a 100644
--- a/drivers/event/octeontx/ssovf_evdev.c
+++ b/drivers/event/octeontx/ssovf_evdev.c
@@ -719,8 +719,16 @@ ssovf_close(struct rte_eventdev *dev)
 static int
 ssovf_parsekv(const char *key __rte_unused, const char *value, void *opaque)
 {
-	int *flag = opaque;
-	*flag = !!atoi(value);
+	uint8_t *flag = (uint8_t *)opaque;
+	char *end;
+
+	errno = 0;
+	*flag = (uint8_t)strtol(value, &end, 2);
+	if ((errno != 0) || (value == end)) {
+		ssovf_log_err("fail to get key val ret:%d err:%d", *flag, errno);
+		return -EINVAL;
+	}
+
 	return 0;
 }
 
-- 
2.25.1

RE: [EXTERNAL] [PATCH] event/octeontx: resolve possible integer overflow

[Pavan Nikhilesh Bhagavatula]

> The last argument passed to ssovf_parsekv() is an
> unsigned char*, but it is accessed as an integer.
> This can lead to an integer overflow.
> 
> Hence, make ensure the argument is accessed as a char
> and for better error handling use strtol instead of atoi.
> 
> Signed-off-by: Hanumanth Pothula <hpothula@marvell.com>

Acked-by: Pavan Nikhilesh <pbhagavatula@marvell.com>

> ---
>  drivers/event/octeontx/ssovf_evdev.c | 12 ++++++++++--
>  1 file changed, 10 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/event/octeontx/ssovf_evdev.c
> b/drivers/event/octeontx/ssovf_evdev.c
> index 3a933b1db7..ccb447d33a 100644
> --- a/drivers/event/octeontx/ssovf_evdev.c
> +++ b/drivers/event/octeontx/ssovf_evdev.c
> @@ -719,8 +719,16 @@ ssovf_close(struct rte_eventdev *dev)
>  static int
>  ssovf_parsekv(const char *key __rte_unused, const char *value, void
> *opaque)
>  {
> -	int *flag = opaque;
> -	*flag = !!atoi(value);
> +	uint8_t *flag = (uint8_t *)opaque;
> +	char *end;
> +
> +	errno = 0;
> +	*flag = (uint8_t)strtol(value, &end, 2);
> +	if ((errno != 0) || (value == end)) {
> +		ssovf_log_err("fail to get key val ret:%d err:%d", *flag, errno);
> +		return -EINVAL;
> +	}
> +
>  	return 0;
>  }
> 
> --
> 2.25.1

Re: [PATCH] event/octeontx: resolve possible integer overflow

[Stephen Hemminger]

On Fri, 18 Oct 2024 13:29:03 +0530
Hanumanth Pothula <hpothula@marvell.com> wrote:

> The last argument passed to ssovf_parsekv() is an
> unsigned char*, but it is accessed as an integer.
> This can lead to an integer overflow.
> 
> Hence, make ensure the argument is accessed as a char
> and for better error handling use strtol instead of atoi.
> 
> Signed-off-by: Hanumanth Pothula <hpothula@marvell.com>
> ---
>  drivers/event/octeontx/ssovf_evdev.c | 12 ++++++++++--
>  1 file changed, 10 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/event/octeontx/ssovf_evdev.c b/drivers/event/octeontx/ssovf_evdev.c
> index 3a933b1db7..ccb447d33a 100644
> --- a/drivers/event/octeontx/ssovf_evdev.c
> +++ b/drivers/event/octeontx/ssovf_evdev.c
> @@ -719,8 +719,16 @@ ssovf_close(struct rte_eventdev *dev)
>  static int
>  ssovf_parsekv(const char *key __rte_unused, const char *value, void *opaque)
>  {
> -	int *flag = opaque;
> -	*flag = !!atoi(value);
> +	uint8_t *flag = (uint8_t *)opaque;
> +	char *end;
> +
> +	errno = 0;
> +	*flag = (uint8_t)strtol(value, &end, 2);
> +	if ((errno != 0) || (value == end)) {
> +		ssovf_log_err("fail to get key val ret:%d err:%d", *flag, errno);
> +		return -EINVAL;
> +	}
> +
>  	return 0;
>  }

Cast of opaque is unnecessary in C.
Use strtoul to avoid allowing negative numbers.
Passing 2 as argument makes it assume binary so 101 is legal value and returns 5
and it is not helping.


Why not:

diff --git a/drivers/event/octeontx/ssovf_evdev.c b/drivers/event/octeontx/ssovf_evdev.c
index 3a933b1db7..9804f5bc59 100644
--- a/drivers/event/octeontx/ssovf_evdev.c
+++ b/drivers/event/octeontx/ssovf_evdev.c
@@ -717,10 +717,20 @@ ssovf_close(struct rte_eventdev *dev)
 }
 
 static int
-ssovf_parsekv(const char *key __rte_unused, const char *value, void *opaque)
+ssovf_parsekv(const char *key, const char *value, void *opaque)
 {
-       int *flag = opaque;
-       *flag = !!atoi(value);
+       uint8_t *flag = opaque;
+       unsigned long v;
+       char *end;
+
+       errno = 0;
+       v = strtoul(value, &end, 0);
+       if (errno != 0 || end == value || *end != '\0') {
+               ssvf_log_err("invalid %s value %s", key, value);
+               return -EINVAL;
+       }
+
+       *flag = !!v;
        return 0;
 }