From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) by dpdk.org (Postfix) with ESMTP id B05E84C80; Wed, 13 Mar 2019 12:05:03 +0100 (CET) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by orsmga105.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Mar 2019 04:05:02 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.58,474,1544515200"; d="scan'208";a="140387931" Received: from fyigit-mobl.ger.corp.intel.com (HELO [10.237.221.46]) ([10.237.221.46]) by FMSMGA003.fm.intel.com with ESMTP; 13 Mar 2019 04:05:00 -0700 To: Aaron Conole , "Parthasarathy, JananeeX M" Cc: "'dev@dpdk.org'" , "Pattan, Reshma" , "Rao, Nikhil" , "'stable@dpdk.org'" , "Poornima, PallantlaX" References: <1549449822-412-1-git-send-email-pallantlax.poornima@intel.com> <7AE31235A30B41498D1C31348DC858BD5B534A73@IRSMSX103.ger.corp.intel.com> <7AE31235A30B41498D1C31348DC858BD5B54DCD4@IRSMSX103.ger.corp.intel.com> From: Ferruh Yigit Openpgp: preference=signencrypt Autocrypt: addr=ferruh.yigit@intel.com; prefer-encrypt=mutual; keydata= mQINBFXZCFABEADCujshBOAaqPZpwShdkzkyGpJ15lmxiSr3jVMqOtQS/sB3FYLT0/d3+bvy qbL9YnlbPyRvZfnP3pXiKwkRoR1RJwEo2BOf6hxdzTmLRtGtwWzI9MwrUPj6n/ldiD58VAGQ +iR1I/z9UBUN/ZMksElA2D7Jgg7vZ78iKwNnd+vLBD6I61kVrZ45Vjo3r+pPOByUBXOUlxp9 GWEKKIrJ4eogqkVNSixN16VYK7xR+5OUkBYUO+sE6etSxCr7BahMPKxH+XPlZZjKrxciaWQb +dElz3Ab4Opl+ZT/bK2huX+W+NJBEBVzjTkhjSTjcyRdxvS1gwWRuXqAml/sh+KQjPV1PPHF YK5LcqLkle+OKTCa82OvUb7cr+ALxATIZXQkgmn+zFT8UzSS3aiBBohg3BtbTIWy51jNlYdy ezUZ4UxKSsFuUTPt+JjHQBvF7WKbmNGS3fCid5Iag4tWOfZoqiCNzxApkVugltxoc6rG2TyX CmI2rP0mQ0GOsGXA3+3c1MCdQFzdIn/5tLBZyKy4F54UFo35eOX8/g7OaE+xrgY/4bZjpxC1 1pd66AAtKb3aNXpHvIfkVV6NYloo52H+FUE5ZDPNCGD0/btFGPWmWRmkPybzColTy7fmPaGz cBcEEqHK4T0aY4UJmE7Ylvg255Kz7s6wGZe6IR3N0cKNv++O7QARAQABtCVGZXJydWggWWln aXQgPGZlcnJ1aC55aWdpdEBpbnRlbC5jb20+iQJVBBMBAgA/AhsDBgsJCAcDAgYVCAIJCgsE FgIDAQIeAQIXgBYhBNI2U4dCLsKE45mBx/kz60PfE2EfBQJbughWBQkHwjOGAAoJEPkz60Pf E2Eft84QAIbKWqhgqRfoiw/BbXbA1+qm2o4UgkCRQ0yJgt9QsnbpOmPKydHH0ixCliNz1J8e mRXCkMini1bTpnzp7spOjQGLeAFkNFz6BMq8YF2mVWbGEDE9WgnAxZdi0eLY7ZQnHbE6AxKL SXmpe9INb6z3ztseFt7mqje/W/6DWYIMnH3Yz9KzxujFWDcq8UCAvPkxVQXLTMpauhFgYeEx Nub5HbvhxTfUkapLwRQsSd/HbywzqZ3s/bbYMjj5JO3tgMiM9g9HOjv1G2f1dQjHi5YQiTZl 1eIIqQ3pTic6ROaiZqNmQFXPsoOOFfXF8nN2zg8kl/sSdoXWHhama5hbwwtl1vdaygQYlmdK H2ueiFh/UvT3WG3waNv2eZiEbHV8Rk52Xyn2w1G90lV0fYC6Ket1Xjoch7kjwbx793Kz/RfQ rmBY8/S4DTGn3oq3dMdQY+b6+7VMUeLMMh2CXYO9ErkOq+qNTD1IY+cBAkXnaDbQfz0zbste ZGWH74FAZ9nCpDOqbRTrBL42aMGhfOWEyeA1x7+hl6JZfabBWAuf4nnCXuorKHzBXTrf7u7p fXsKQClWRW77PF1VmzrtKNVSytQAmlCWApQIw20AarFipXmVdIjHmJPU611WoyxZPb4JTOxx 5cv9B+nr/RIB+v5dcStyHCCwO1be7nBDdCgd4F6kTQPLuQINBFfWTL4BEACnNA29e8TarUsB L5n6eLZHXcFvVwNLVlirWOClHXf44o2KnN3ww+eBEmKVfEFo9MSuGDNHS8Zw1NiGMYxLIUgd U6gGrVVs/VrQWL82pbMk6jCj98N+BXIri+6K1z+AImz7ax7iF1kDgRAnFWU0znWWBgM2mM8Y gDjcxfXk4sCKnvf6Gjo08Ey5zmqx7dekAKU2EEp8Q1EJY3jbymLdZWRP4AFFMTS1rGMk0/tt v71NBg1GobCcbNfn9chK/jhqxYhAJqq86RdJQkt3/9x1U1Oq0vXCt4JVVHmkxePtUiuWTTt+ aYlUAsKYZsWvncExvw77x2ArYDmaK0yfjh37wp0lY7DOJHFxoyT8tyWZlLci/VMRG2Ja33xj 0CN4C1yBg+QDeV3QFxQo42iA/ykdXPUR3ezmsND3XKvVLTC4DNb3V/EZQ7jBj64+bEK0VW4G B31VP00ApNQvSoczsIOAKdk97RNbpmPw6q10ILIB+9T1xbnFYzshzGF17oC0/GENIHATx8vZ masOZoDiOZQpeneLgnFE9JfzhLTxv6wNZcc/HLXRQVTkDsQr8ERtkAoHCf1E5+b5Yr7pfnE4 YuhET746o25S53ELUYPIs49qoJsEJL34/oexMfPGyPIlrbufiNyty5jc/1MRwUlhJlJ5IOHy ZUa+6CLR7GdImusFkPJUJwARAQABiQI8BBgBAgAmAhsMFiEE0jZTh0IuwoTjmYHH+TPrQ98T YR8FAlu6CHAFCQXE7zIACgkQ+TPrQ98TYR9nXxAAqNBgkYNyGuWUuy0GwDQCbu3iiMyH1+D7 llafPcK4NYy1Z4AYuVwC9nmLaoj+ozdqS3ncRo57ncRsKEJC46nDJJZYZ5LSJVn63Y3NBF86 lxQAgjj2oyZEwaLKtKbAFsXL43jv1pUGgSvWwYtDwHITXXFQto9rZEuUDRFSx4sg9OR+Q6/6 LY+nQQ3OdHlBkflzYMPcWgDcvcTAO6yasLEUf7UcYoSWTyMYjLB4QuNlXzTswzGVMssJF/vo V8lD1eqqaSUWG3STF6GVLQOr1NLvN5+kUBiEStHFxBpgSCvYY9sNV8FS6N24CAWMBl+10W+D 2h1yiiP5dOdPcBDYKsgqDD91/sP0WdyMJkwdQJtD49f9f+lYloxHnSAxMleOpyscg1pldw+i mPaUY1bmIknLhhkqfMmjywQOXpac5LRMibAAYkcB8v7y3kwELnt8mhqqZy6LUsqcWygNbH/W K3GGt5tRpeIXeJ25x8gg5EBQ0Jnvp/IbBYQfPLtXH0Myq2QuAhk/1q2yEIbVjS+7iowEZNyE 56K63WBJxsJPB2mvmLgn98GqB4G6GufP1ndS0XDti/2K0o8rep9xoY/JDGi0n0L0tk9BHyoP Y7kaEpu7UyY3nVdRLe5H1/MnFG8hdJ97WqnPS0buYZlrbTV0nRFL/NI2VABl18vEEXvNQiO+ vM8= Message-ID: Date: Wed, 13 Mar 2019 11:04:59 +0000 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.5.3 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Subject: Re: [dpdk-dev] [dpdk-stable] [PATCH] test/eventdev: fix sprintf with snprintf X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Mar 2019 11:05:04 -0000 On 3/12/2019 2:44 PM, Aaron Conole wrote: > "Parthasarathy, JananeeX M" writes: > >> Hi >> >>> -----Original Message----- >>> From: Parthasarathy, JananeeX M >>> Sent: Tuesday, February 19, 2019 6:33 PM >>> To: Aaron Conole ; Poornima, PallantlaX >>> >>> Cc: dev@dpdk.org; Pattan, Reshma ; Rao, Nikhil >>> ; stable@dpdk.org >>> Subject: RE: [dpdk-dev] [PATCH] test/eventdev: fix sprintf with snprintf >>> >>> >>> >>>> -----Original Message----- >>>> From: dev [mailto:dev-bounces@dpdk.org] On Behalf Of Aaron Conole >>>> Sent: Saturday, February 09, 2019 2:50 AM >>>> To: Poornima, PallantlaX >>>> Cc: dev@dpdk.org; Pattan, Reshma ; Rao, Nikhil >>>> ; stable@dpdk.org >>>> Subject: Re: [dpdk-dev] [PATCH] test/eventdev: fix sprintf with >>>> snprintf >>>> >>>> Pallantla Poornima writes: >>>> >>>>> sprintf function is not secure as it doesn't check the length of string. >>>>> More secure function snprintf is used. >>>>> >>>>> Fixes: 2a9c83ae3b ("test/eventdev: add multi-ports test") >>>>> Cc: stable@dpdk.org >>>>> >>>>> Signed-off-by: Pallantla Poornima >>>>> --- >>>>> test/test/test_event_eth_rx_adapter.c | 3 ++- >>>>> 1 file changed, 2 insertions(+), 1 deletion(-) >>>>> >>>>> diff --git a/test/test/test_event_eth_rx_adapter.c >>>>> b/test/test/test_event_eth_rx_adapter.c >>>>> index 1d3be82b5..38f5c039f 100644 >>>>> --- a/test/test/test_event_eth_rx_adapter.c >>>>> +++ b/test/test/test_event_eth_rx_adapter.c >>>>> @@ -479,7 +479,8 @@ adapter_multi_eth_add_del(void) >>>>> /* add the max port for rx_adapter */ >>>>> port_index = rte_eth_dev_count_total(); >>>>> for (; port_index < RTE_MAX_ETHPORTS; port_index += 1) { >>>>> - sprintf(driver_name, "%s%u", "net_null", drv_id); >>>>> + snprintf(driver_name, sizeof(driver_name), "%s%u", "net_null", >>>>> + drv_id); >>>>> err = rte_vdev_init(driver_name, NULL); >>>>> TEST_ASSERT(err == 0, "Failed driver %s got %d", >>>>> driver_name, err); >>>> >>>> You call this a fix, but it's not possible for the value of drv_id to >>>> exceed '32' and the buffer size is plenty accommodating for that. Did >>>> I miss something? What is this fixing? >>> >>> It is better practice to use snprintf although in this case buffer will not overflow >>> as size is big enough to accommodate. The changes were done mainly to >>> replace sprintf to snprintf. Probably we can remove "fix" line as it is not issue in >>> this scenario. >>> >>> Thanks >>> M.P.Jananee >> >> Please suggest if we can remove "fix" line. > > This is a stylistic change, I don't think it's appropriate to call it a > fix, so I think you can remove the "Fixes" line. > > On further reflection, I actually think it will still be wrong. If the > size buffer is ever changed, what will happen on truncation? We don't > get an overflow any longer, but we still pass an invalid argument, so I > don't think this 'fix' is really even a fix. It still has a bug - > albeit not one that immediately triggers SSP exception or stack > overflow. > > Makes sense? Hi Aaron, I see your point and I agree that existing code is not broken, it is functioning well as it is. But we are fixing a possible issue, or lets say fixing using less secure API although it doesn't cause any problem right now. Perhaps we can update the patch title slightly [1] but I am for keeping the fix and I think it makes sense to keep "Fixes" tag so that this update can be backported to stable trees. Thanks, ferruh [1] test/eventdev: fix possible buffer overflow