From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id B2454A00C2 for ; Wed, 17 Mar 2021 09:21:29 +0100 (CET) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 19A40242B8E; Wed, 17 Mar 2021 09:21:29 +0100 (CET) Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) by mails.dpdk.org (Postfix) with ESMTP id 2F63A4014D; Wed, 17 Mar 2021 09:21:26 +0100 (CET) IronPort-SDR: TpD15DO90T1MT5Y+CUxwnvd/bMOsZVSvI8mD9FbtcXvkrkc+EwpjedPozYDnvRBW3ZaQpuHn/Q AE9au4eF25pQ== X-IronPort-AV: E=McAfee;i="6000,8403,9925"; a="274463930" X-IronPort-AV: E=Sophos;i="5.81,255,1610438400"; d="scan'208";a="274463930" Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Mar 2021 01:21:25 -0700 IronPort-SDR: NwFDmGQ02oE04H+wjwWR4xBSevEUOxGP3C3u41h7UFRXYVHcE3jy/C651lSghnh09oEb10dkuk pI/qCi5fyz8A== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.81,255,1610438400"; d="scan'208";a="602144367" Received: from unknown (HELO sh_lab5_1.sh.intel.com) ([10.238.175.190]) by fmsmga006.fm.intel.com with ESMTP; 17 Mar 2021 01:21:24 -0700 From: Wei Huang To: dev@dpdk.org, rosen.xu@intel.com, qi.z.zhang@intel.com Cc: stable@dpdk.org, tianfei.zhang@intel.com, Wei Huang Date: Wed, 17 Mar 2021 04:21:33 -0400 Message-Id: <1615969296-17021-2-git-send-email-wei.huang@intel.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1615969296-17021-1-git-send-email-wei.huang@intel.com> References: <1615969296-17021-1-git-send-email-wei.huang@intel.com> Subject: [dpdk-stable] [PATCH v1 1/4] raw/ifpga/base: use trusted buffer to free X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Sender: "stable" In write_flash_image(), calling function "read" may taints variable "buf" which turn to an untrusted value as argument of "rte_free". Coverity issue: 367477 Fixes: 7a4f3993f269 ("raw/ifpga: add FPGA RSU APIs") Signed-off-by: Wei Huang --- drivers/raw/ifpga/base/ifpga_fme_rsu.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/raw/ifpga/base/ifpga_fme_rsu.c b/drivers/raw/ifpga/base/ifpga_fme_rsu.c index 28198abd78..d32f1eccb1 100644 --- a/drivers/raw/ifpga/base/ifpga_fme_rsu.c +++ b/drivers/raw/ifpga/base/ifpga_fme_rsu.c @@ -92,6 +92,7 @@ static int write_flash_image(struct ifpga_sec_mgr *smgr, const char *image, uint32_t offset) { void *buf = NULL; + void *buf_to_free = NULL; int retry = 0; uint32_t length = 0; uint32_t to_transfer = 0; @@ -122,6 +123,7 @@ static int write_flash_image(struct ifpga_sec_mgr *smgr, const char *image, close(fd); return -ENOMEM; } + buf_to_free = buf; length = smgr->rsu_length; one_percent = length / 100; @@ -177,7 +179,7 @@ static int write_flash_image(struct ifpga_sec_mgr *smgr, const char *image, printf("\n"); end: - free(buf); + free(buf_to_free); close(fd); return ret; } -- 2.29.2