* [dpdk-dev] [PATCH] app/testeventdev: fix buffer overflow
@ 2021-04-23 7:38 Min Hu (Connor)
2021-04-23 9:08 ` [dpdk-dev] [EXT] " Pavan Nikhilesh Bhagavatula
0 siblings, 1 reply; 3+ messages in thread
From: Min Hu (Connor) @ 2021-04-23 7:38 UTC (permalink / raw)
To: dev; +Cc: ferruh.yigit, jerinj, thomas
Tainted and unvalidated integer 'idx' used as an index, which may
lead to buffer overflow.
This patch fixed it.
Fixes: 89e5eb118017 ("app/testeventdev: add string parsing helpers")
Cc: stable@dpdk.org
Signed-off-by: Min Hu (Connor) <humin29@huawei.com>
---
app/test-eventdev/evt_options.c | 4 ++--
app/test-eventdev/parser.c | 6 ++++--
app/test-eventdev/parser.h | 2 +-
3 files changed, 7 insertions(+), 5 deletions(-)
diff --git a/app/test-eventdev/evt_options.c b/app/test-eventdev/evt_options.c
index 0d55405..061b63e 100644
--- a/app/test-eventdev/evt_options.c
+++ b/app/test-eventdev/evt_options.c
@@ -221,7 +221,7 @@ evt_parse_plcores(struct evt_options *opt, const char *corelist)
{
int ret;
- ret = parse_lcores_list(opt->plcores, corelist);
+ ret = parse_lcores_list(opt->plcores, RTE_MAX_LCORE, corelist);
if (ret == -E2BIG)
evt_err("duplicate lcores in plcores");
@@ -233,7 +233,7 @@ evt_parse_work_lcores(struct evt_options *opt, const char *corelist)
{
int ret;
- ret = parse_lcores_list(opt->wlcores, corelist);
+ ret = parse_lcores_list(opt->wlcores, RTE_MAX_LCORE, corelist);
if (ret == -E2BIG)
evt_err("duplicate lcores in wlcores");
diff --git a/app/test-eventdev/parser.c b/app/test-eventdev/parser.c
index 24f1855..7a973cb 100644
--- a/app/test-eventdev/parser.c
+++ b/app/test-eventdev/parser.c
@@ -310,7 +310,7 @@ parse_hex_string(char *src, uint8_t *dst, uint32_t *size)
}
int
-parse_lcores_list(bool lcores[], const char *corelist)
+parse_lcores_list(bool lcores[], int lcores_num, const char *corelist)
{
int i, idx = 0;
int min, max;
@@ -332,6 +332,8 @@ parse_lcores_list(bool lcores[], const char *corelist)
if (*corelist == '\0')
return -1;
idx = strtoul(corelist, &end, 10);
+ if (idx < 0 || idx > lcores_num)
+ return -1;
if (end == NULL)
return -1;
@@ -343,7 +345,7 @@ parse_lcores_list(bool lcores[], const char *corelist)
max = idx;
if (min == RTE_MAX_LCORE)
min = idx;
- for (idx = min; idx <= max; idx++) {
+ for (idx = min; idx < max; idx++) {
if (lcores[idx] == 1)
return -E2BIG;
lcores[idx] = 1;
diff --git a/app/test-eventdev/parser.h b/app/test-eventdev/parser.h
index 673ff22..696b40a 100644
--- a/app/test-eventdev/parser.h
+++ b/app/test-eventdev/parser.h
@@ -46,5 +46,5 @@ int parse_hex_string(char *src, uint8_t *dst, uint32_t *size);
int parse_tokenize_string(char *string, char *tokens[], uint32_t *n_tokens);
-int parse_lcores_list(bool lcores[], const char *corelist);
+int parse_lcores_list(bool lcores[], int lcores_num, const char *corelist);
#endif
--
2.7.4
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [dpdk-dev] [EXT] [PATCH] app/testeventdev: fix buffer overflow
2021-04-23 7:38 [dpdk-dev] [PATCH] app/testeventdev: fix buffer overflow Min Hu (Connor)
@ 2021-04-23 9:08 ` Pavan Nikhilesh Bhagavatula
2021-04-29 8:11 ` Jerin Jacob
0 siblings, 1 reply; 3+ messages in thread
From: Pavan Nikhilesh Bhagavatula @ 2021-04-23 9:08 UTC (permalink / raw)
To: Min Hu (Connor), dev; +Cc: ferruh.yigit, Jerin Jacob Kollanukkaran, thomas
>Tainted and unvalidated integer 'idx' used as an index, which may
>lead to buffer overflow.
>
>This patch fixed it.
>
>Fixes: 89e5eb118017 ("app/testeventdev: add string parsing helpers")
>Cc: stable@dpdk.org
>
>Signed-off-by: Min Hu (Connor) <humin29@huawei.com>
Acked-by: Pavan Nikhilesh <pbhagavatula@marvell.com>
>---
> app/test-eventdev/evt_options.c | 4 ++--
> app/test-eventdev/parser.c | 6 ++++--
> app/test-eventdev/parser.h | 2 +-
> 3 files changed, 7 insertions(+), 5 deletions(-)
>
>diff --git a/app/test-eventdev/evt_options.c b/app/test-
>eventdev/evt_options.c
>index 0d55405..061b63e 100644
>--- a/app/test-eventdev/evt_options.c
>+++ b/app/test-eventdev/evt_options.c
>@@ -221,7 +221,7 @@ evt_parse_plcores(struct evt_options *opt,
>const char *corelist)
> {
> int ret;
>
>- ret = parse_lcores_list(opt->plcores, corelist);
>+ ret = parse_lcores_list(opt->plcores, RTE_MAX_LCORE,
>corelist);
> if (ret == -E2BIG)
> evt_err("duplicate lcores in plcores");
>
>@@ -233,7 +233,7 @@ evt_parse_work_lcores(struct evt_options
>*opt, const char *corelist)
> {
> int ret;
>
>- ret = parse_lcores_list(opt->wlcores, corelist);
>+ ret = parse_lcores_list(opt->wlcores, RTE_MAX_LCORE,
>corelist);
> if (ret == -E2BIG)
> evt_err("duplicate lcores in wlcores");
>
>diff --git a/app/test-eventdev/parser.c b/app/test-eventdev/parser.c
>index 24f1855..7a973cb 100644
>--- a/app/test-eventdev/parser.c
>+++ b/app/test-eventdev/parser.c
>@@ -310,7 +310,7 @@ parse_hex_string(char *src, uint8_t *dst,
>uint32_t *size)
> }
>
> int
>-parse_lcores_list(bool lcores[], const char *corelist)
>+parse_lcores_list(bool lcores[], int lcores_num, const char *corelist)
> {
> int i, idx = 0;
> int min, max;
>@@ -332,6 +332,8 @@ parse_lcores_list(bool lcores[], const char
>*corelist)
> if (*corelist == '\0')
> return -1;
> idx = strtoul(corelist, &end, 10);
>+ if (idx < 0 || idx > lcores_num)
>+ return -1;
>
> if (end == NULL)
> return -1;
>@@ -343,7 +345,7 @@ parse_lcores_list(bool lcores[], const char
>*corelist)
> max = idx;
> if (min == RTE_MAX_LCORE)
> min = idx;
>- for (idx = min; idx <= max; idx++) {
>+ for (idx = min; idx < max; idx++) {
> if (lcores[idx] == 1)
> return -E2BIG;
> lcores[idx] = 1;
>diff --git a/app/test-eventdev/parser.h b/app/test-eventdev/parser.h
>index 673ff22..696b40a 100644
>--- a/app/test-eventdev/parser.h
>+++ b/app/test-eventdev/parser.h
>@@ -46,5 +46,5 @@ int parse_hex_string(char *src, uint8_t *dst,
>uint32_t *size);
>
> int parse_tokenize_string(char *string, char *tokens[], uint32_t
>*n_tokens);
>
>-int parse_lcores_list(bool lcores[], const char *corelist);
>+int parse_lcores_list(bool lcores[], int lcores_num, const char
>*corelist);
> #endif
>--
>2.7.4
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [dpdk-dev] [EXT] [PATCH] app/testeventdev: fix buffer overflow
2021-04-23 9:08 ` [dpdk-dev] [EXT] " Pavan Nikhilesh Bhagavatula
@ 2021-04-29 8:11 ` Jerin Jacob
0 siblings, 0 replies; 3+ messages in thread
From: Jerin Jacob @ 2021-04-29 8:11 UTC (permalink / raw)
To: Pavan Nikhilesh Bhagavatula
Cc: Min Hu (Connor), dev, ferruh.yigit, Jerin Jacob Kollanukkaran, thomas
On Fri, Apr 23, 2021 at 2:38 PM Pavan Nikhilesh Bhagavatula
<pbhagavatula@marvell.com> wrote:
>
> >Tainted and unvalidated integer 'idx' used as an index, which may
> >lead to buffer overflow.
> >
> >This patch fixed it.
> >
> >Fixes: 89e5eb118017 ("app/testeventdev: add string parsing helpers")
> >Cc: stable@dpdk.org
> >
> >Signed-off-by: Min Hu (Connor) <humin29@huawei.com>
>
> Acked-by: Pavan Nikhilesh <pbhagavatula@marvell.com>
Applied to dpdk-next-net-eventdev/for-main. Thanks
>
> >---
> > app/test-eventdev/evt_options.c | 4 ++--
> > app/test-eventdev/parser.c | 6 ++++--
> > app/test-eventdev/parser.h | 2 +-
> > 3 files changed, 7 insertions(+), 5 deletions(-)
> >
> >diff --git a/app/test-eventdev/evt_options.c b/app/test-
> >eventdev/evt_options.c
> >index 0d55405..061b63e 100644
> >--- a/app/test-eventdev/evt_options.c
> >+++ b/app/test-eventdev/evt_options.c
> >@@ -221,7 +221,7 @@ evt_parse_plcores(struct evt_options *opt,
> >const char *corelist)
> > {
> > int ret;
> >
> >- ret = parse_lcores_list(opt->plcores, corelist);
> >+ ret = parse_lcores_list(opt->plcores, RTE_MAX_LCORE,
> >corelist);
> > if (ret == -E2BIG)
> > evt_err("duplicate lcores in plcores");
> >
> >@@ -233,7 +233,7 @@ evt_parse_work_lcores(struct evt_options
> >*opt, const char *corelist)
> > {
> > int ret;
> >
> >- ret = parse_lcores_list(opt->wlcores, corelist);
> >+ ret = parse_lcores_list(opt->wlcores, RTE_MAX_LCORE,
> >corelist);
> > if (ret == -E2BIG)
> > evt_err("duplicate lcores in wlcores");
> >
> >diff --git a/app/test-eventdev/parser.c b/app/test-eventdev/parser.c
> >index 24f1855..7a973cb 100644
> >--- a/app/test-eventdev/parser.c
> >+++ b/app/test-eventdev/parser.c
> >@@ -310,7 +310,7 @@ parse_hex_string(char *src, uint8_t *dst,
> >uint32_t *size)
> > }
> >
> > int
> >-parse_lcores_list(bool lcores[], const char *corelist)
> >+parse_lcores_list(bool lcores[], int lcores_num, const char *corelist)
> > {
> > int i, idx = 0;
> > int min, max;
> >@@ -332,6 +332,8 @@ parse_lcores_list(bool lcores[], const char
> >*corelist)
> > if (*corelist == '\0')
> > return -1;
> > idx = strtoul(corelist, &end, 10);
> >+ if (idx < 0 || idx > lcores_num)
> >+ return -1;
> >
> > if (end == NULL)
> > return -1;
> >@@ -343,7 +345,7 @@ parse_lcores_list(bool lcores[], const char
> >*corelist)
> > max = idx;
> > if (min == RTE_MAX_LCORE)
> > min = idx;
> >- for (idx = min; idx <= max; idx++) {
> >+ for (idx = min; idx < max; idx++) {
> > if (lcores[idx] == 1)
> > return -E2BIG;
> > lcores[idx] = 1;
> >diff --git a/app/test-eventdev/parser.h b/app/test-eventdev/parser.h
> >index 673ff22..696b40a 100644
> >--- a/app/test-eventdev/parser.h
> >+++ b/app/test-eventdev/parser.h
> >@@ -46,5 +46,5 @@ int parse_hex_string(char *src, uint8_t *dst,
> >uint32_t *size);
> >
> > int parse_tokenize_string(char *string, char *tokens[], uint32_t
> >*n_tokens);
> >
> >-int parse_lcores_list(bool lcores[], const char *corelist);
> >+int parse_lcores_list(bool lcores[], int lcores_num, const char
> >*corelist);
> > #endif
> >--
> >2.7.4
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-04-29 8:11 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-23 7:38 [dpdk-dev] [PATCH] app/testeventdev: fix buffer overflow Min Hu (Connor)
2021-04-23 9:08 ` [dpdk-dev] [EXT] " Pavan Nikhilesh Bhagavatula
2021-04-29 8:11 ` Jerin Jacob
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).