DPDK patches and discussions
 help / color / mirror / Atom feed
* [dpdk-dev] [Bug 792] The dev_uev_parse function has a stack overflow bug.
@ 2021-08-24  2:14 bugzilla
  2021-11-04 14:24 ` [dpdk-dev] [Bug 792] [asan] " bugzilla
  0 siblings, 1 reply; 2+ messages in thread
From: bugzilla @ 2021-08-24  2:14 UTC (permalink / raw)
  To: dev

https://bugs.dpdk.org/show_bug.cgi?id=792

            Bug ID: 792
           Summary: The dev_uev_parse function has a stack overflow bug.
           Product: DPDK
           Version: 21.08
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Severity: normal
          Priority: Normal
         Component: core
          Assignee: dev@dpdk.org
          Reporter: zhihongx.peng@intel.com
  Target Milestone: ---

Code:
static int
dev_uev_parse(const char *buf, struct rte_dev_event *event, int length)
{
        char action[EAL_UEV_MSG_ELEM_LEN];
        char subsystem[EAL_UEV_MSG_ELEM_LEN];
        char pci_slot_name[EAL_UEV_MSG_ELEM_LEN];
        int i = 0;

        memset(action, 0, EAL_UEV_MSG_ELEM_LEN);
        memset(subsystem, 0, EAL_UEV_MSG_ELEM_LEN);
        memset(pci_slot_name, 0, EAL_UEV_MSG_ELEM_LEN);

        while (i < length) {
                for (; i < length; i++) {
                        if (*buf)
                                break;
                        buf++;
                }
                /**
                 * check device uevent from kernel side, no need to check
                 * uevent from udev.
                 */
                if (!strncmp(buf, "libudev", 7)) {
                        buf += 7;
                        i += 7;
                        return -1;
                }
                if (!strncmp(buf, "ACTION=", 7)) {
                        buf += 7;
                        i += 7;
                        strlcpy(action, buf, sizeof(action));
                } else if (!strncmp(buf, "SUBSYSTEM=", 10)) {
                        buf += 10;
                        i += 10;
                        strlcpy(subsystem, buf, sizeof(subsystem));
                } else if (!strncmp(buf, "PCI_SLOT_NAME=", 14)) {
                        buf += 14;
                        i += 14;
                        strlcpy(pci_slot_name, buf, sizeof(subsystem));
                        event->devname = strdup(pci_slot_name);
                }
Bug description:
Because the minimum length of the buff is not judged, when the length of the
buff is less than 7, strncmp will stack buff overflow.

-- 
You are receiving this mail because:
You are the assignee for the bug.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2021-11-04 14:24 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-24  2:14 [dpdk-dev] [Bug 792] The dev_uev_parse function has a stack overflow bug bugzilla
2021-11-04 14:24 ` [dpdk-dev] [Bug 792] [asan] " bugzilla

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).