* [dpdk-stable] [PATCH v3 1/2] raw/ifpga: terminate string filled by readlink with null
2020-10-30 7:35 [dpdk-stable] [PATCH v2 0/2] raw/ifpga: fix coverity defects Wei Huang
@ 2020-10-30 7:35 ` Wei Huang
2020-10-30 7:35 ` [dpdk-stable] [PATCH v3 2/2] raw/ifpga: use trusted buffer to free Wei Huang
1 sibling, 0 replies; 3+ messages in thread
From: Wei Huang @ 2020-10-30 7:35 UTC (permalink / raw)
To: dev, rosen.xu, qi.z.zhang; +Cc: stable, Wei Huang
readlink() does not terminate string, add a null character at the end
of the string if readlink() succeeds.
Coverity issue: 362820
Fixes: 9c006c45d0c5 ("raw/ifpga: scan PCIe BDF device tree")
Signed-off-by: Wei Huang <wei.huang@intel.com>
---
v2: fix coding style issue
v3: add coverity issue number
---
drivers/raw/ifpga/ifpga_rawdev.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/raw/ifpga/ifpga_rawdev.c b/drivers/raw/ifpga/ifpga_rawdev.c
index 0385514..f9de167 100644
--- a/drivers/raw/ifpga/ifpga_rawdev.c
+++ b/drivers/raw/ifpga/ifpga_rawdev.c
@@ -230,8 +230,9 @@ static int ifpga_rawdev_fill_info(struct ifpga_rawdev *ifpga_dev,
memset(link, 0, sizeof(link));
memset(link1, 0, sizeof(link1));
ret = readlink(path, link, (sizeof(link)-1));
- if (ret == -1)
+ if ((ret < 0) || ((unsigned int)ret > (sizeof(link)-1)))
return -1;
+ link[ret] = 0; /* terminate string with null character */
strlcpy(link1, link, sizeof(link1));
memset(ifpga_dev->parent_bdf, 0, 16);
point = strlen(link);
--
2.7.3
^ permalink raw reply [flat|nested] 3+ messages in thread
* [dpdk-stable] [PATCH v3 2/2] raw/ifpga: use trusted buffer to free
2020-10-30 7:35 [dpdk-stable] [PATCH v2 0/2] raw/ifpga: fix coverity defects Wei Huang
2020-10-30 7:35 ` [dpdk-stable] [PATCH v3 1/2] raw/ifpga: terminate string filled by readlink with null Wei Huang
@ 2020-10-30 7:35 ` Wei Huang
1 sibling, 0 replies; 3+ messages in thread
From: Wei Huang @ 2020-10-30 7:35 UTC (permalink / raw)
To: dev, rosen.xu, qi.z.zhang; +Cc: stable, Wei Huang
In rte_fpga_do_pr, calling function read() may taints argument buffer
which turn to an untrusted value as argumen of rte_free().
Coverity issue: 279449
Fixes: ef1e8ede3da5 ("raw/ifpga: add Intel FPGA bus rawdev driver")
Signed-off-by: Wei Huang <wei.huang@intel.com>
---
v2: add fixes information to log
v3: add coverity issue number
---
drivers/raw/ifpga/ifpga_rawdev.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/raw/ifpga/ifpga_rawdev.c b/drivers/raw/ifpga/ifpga_rawdev.c
index f9de167..27129b1 100644
--- a/drivers/raw/ifpga/ifpga_rawdev.c
+++ b/drivers/raw/ifpga/ifpga_rawdev.c
@@ -786,7 +786,7 @@ rte_fpga_do_pr(struct rte_rawdev *rawdev, int port_id,
int file_fd;
int ret = 0;
ssize_t buffer_size;
- void *buffer;
+ void *buffer, *buf_to_free;
u64 pr_error;
if (!file_name)
@@ -818,6 +818,7 @@ rte_fpga_do_pr(struct rte_rawdev *rawdev, int port_id,
ret = -ENOMEM;
goto close_fd;
}
+ buf_to_free = buffer;
/*read the raw data*/
if (buffer_size != read(file_fd, (void *)buffer, buffer_size)) {
@@ -835,8 +836,8 @@ rte_fpga_do_pr(struct rte_rawdev *rawdev, int port_id,
}
free_buffer:
- if (buffer)
- rte_free(buffer);
+ if (buf_to_free)
+ rte_free(buf_to_free);
close_fd:
close(file_fd);
file_fd = 0;
--
2.7.3
^ permalink raw reply [flat|nested] 3+ messages in thread