[RFC v2 09/14] vhost: check for overflow in xstat name

DPDK patches and discussions
 help / color / mirror / Atom feed

From: Stephen Hemminger <stephen@networkplumber.org>
To: dev@dpdk.org
Cc: Stephen Hemminger <stephen@networkplumber.org>
Subject: [RFC v2 09/14] vhost: check for overflow in xstat name
Date: Thu,  4 Dec 2025 18:28:18 -0800	[thread overview]
Message-ID: <20251205022948.327743-10-stephen@networkplumber.org> (raw)
In-Reply-To: <20251205022948.327743-1-stephen@networkplumber.org>

The snprintf to format an xstat name could overflow if called with
a long rte_vhost_stat_name. Check if that happens and warn.

Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
 lib/vhost/vhost.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/lib/vhost/vhost.c b/lib/vhost/vhost.c
index 416f082dca..540f4e0635 100644
--- a/lib/vhost/vhost.c
+++ b/lib/vhost/vhost.c
@@ -2200,6 +2200,7 @@ rte_vhost_vring_stats_get_names(int vid, uint16_t queue_id,
 {
 	struct virtio_net *dev = get_device(vid);
 	unsigned int i;
+	int ret;
 
 	if (dev == NULL)
 		return -1;
@@ -2213,10 +2214,15 @@ rte_vhost_vring_stats_get_names(int vid, uint16_t queue_id,
 	if (name == NULL || size < VHOST_NB_VQ_STATS)
 		return VHOST_NB_VQ_STATS;
 
-	for (i = 0; i < VHOST_NB_VQ_STATS; i++)
-		snprintf(name[i].name, sizeof(name[i].name), "%s_q%u_%s",
-				(queue_id & 1) ? "rx" : "tx",
-				queue_id / 2, vhost_vq_stat_strings[i].name);
+	for (i = 0; i < VHOST_NB_VQ_STATS; i++) {
+		ret = snprintf(name[i].name, sizeof(name[i].name), "%s_q%u_%s",
+			       (queue_id & 1) ? "rx" : "tx",
+			       queue_id / 2, vhost_vq_stat_strings[i].name);
+		if (ret >= (int)sizeof(name[0].name))
+			VHOST_CONFIG_LOG("device", NOTICE, "truncated xstat '%s_q%u_%s'",
+					 (queue_id & 1) ? "rx" : "tx",
+					 queue_id / 2, vhost_vq_stat_strings[i].name);
+	}
 
 	return VHOST_NB_VQ_STATS;
 }
-- 
2.51.0

next prev parent reply	other threads:[~2025-12-05  2:30 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-12-02 17:24 [RFC 0/8] first steps in fixing buffer overflow Stephen Hemminger
2025-12-02 17:24 ` [RFC 1/8] eal: use C library to parse filesystem table Stephen Hemminger
2025-12-02 17:24 ` [RFC 2/8] hash: fix possible ring name overflow Stephen Hemminger
2025-12-02 17:24 ` [RFC 3/8] eal: warn if thread name is truncated Stephen Hemminger
2025-12-02 17:24 ` [RFC 4/8] eal: avoid format overflow when handling addresses Stephen Hemminger
2025-12-02 17:24 ` [RFC 5/8] ethdev: avoid possible overflow in xstat names Stephen Hemminger
2025-12-02 17:24 ` [RFC 6/8] efd: avoid overflowing ring name Stephen Hemminger
2025-12-02 17:24 ` [RFC 7/8] eal: add check for sysfs path overflow Stephen Hemminger
2025-12-02 17:24 ` [RFC 8/8] eal: limit maximum runtime directory and socket paths Stephen Hemminger
2025-12-05  2:28 ` [RFC v2 00/14] lib: check for string overflow Stephen Hemminger
2025-12-05  2:28   ` [RFC v2 01/14] eal: use C library to parse filesystem table Stephen Hemminger
2025-12-05  2:28   ` [RFC v2 02/14] test: avoid long hash names Stephen Hemminger
2025-12-05  8:29     ` Bruce Richardson
2025-12-05  2:28   ` [RFC v2 03/14] lpm: restrict name size Stephen Hemminger
2025-12-05  2:28   ` [RFC v2 04/14] hash: avoid possible ring name overflow Stephen Hemminger
2025-12-05  2:28   ` [RFC v2 05/14] graph: avoid overflowing comment buffer Stephen Hemminger
2025-12-05  2:28   ` [RFC v2 06/14] eal: warn if thread name is truncated Stephen Hemminger
2025-12-05  8:32     ` Bruce Richardson
2025-12-05  2:28   ` [RFC v2 07/14] eal: avoid format overflow when handling addresses Stephen Hemminger
2025-12-05  2:28   ` [RFC v2 08/14] ethdev: avoid possible overflow in xstat names Stephen Hemminger
2025-12-05  8:34     ` Bruce Richardson
2025-12-05  2:28   ` Stephen Hemminger [this message]
2025-12-05  2:28   ` [RFC v2 10/14] efd: avoid overflowing ring name Stephen Hemminger
2025-12-05  8:37     ` Bruce Richardson
2025-12-05  2:28   ` [RFC v2 11/14] eal: add check for sysfs path overflow Stephen Hemminger
2025-12-05  2:28   ` [RFC v2 12/14] eal: limit maximum runtime directory and socket paths Stephen Hemminger
2025-12-05  8:46     ` Bruce Richardson
2025-12-05  2:28   ` [RFC v2 13/14] eal: check for hugefile path overflow Stephen Hemminger
2025-12-05  2:28   ` [RFC v2 14/14] lib: enable format overflow warnings Stephen Hemminger

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20251205022948.327743-10-stephen@networkplumber.org \
    --to=stephen@networkplumber.org \
    --cc=dev@dpdk.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).