* [dpdk-stable] [dpdk-dev] [PATCH] kvargs: fix a heap-buffer-overflow when detect list @ 2020-03-19 4:38 wangyunjian 2020-03-25 16:31 ` Olivier Matz 2020-03-27 8:09 ` [dpdk-stable] [PATCH v2 0/3] kvargs fixes Olivier Matz 0 siblings, 2 replies; 9+ messages in thread From: wangyunjian @ 2020-03-19 4:38 UTC (permalink / raw) To: dev; +Cc: olivier.matz, jerry.lilijun, xudingke, Yunjian Wang, stable From: Yunjian Wang <wangyunjian@huawei.com> When an input params'value is '[', leading to the 'str' over read or heap-buffer-overflow. So we can check the 'ctx1' length to avoid this problem. Fixes: cc0579f2339a ("kvargs: support list value") Cc: stable@dpdk.org Signed-off-by: Yunjian Wang <wangyunjian@huawei.com> --- lib/librte_kvargs/rte_kvargs.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/librte_kvargs/rte_kvargs.c b/lib/librte_kvargs/rte_kvargs.c index d39332999..a1144b90b 100644 --- a/lib/librte_kvargs/rte_kvargs.c +++ b/lib/librte_kvargs/rte_kvargs.c @@ -48,7 +48,8 @@ rte_kvargs_tokenize(struct rte_kvargs *kvlist, const char *params) str = kvlist->pairs[i].value; if (str[0] == '[') { /* Find the end of the list. */ - while (str[strlen(str) - 1] != ']') { + while ((str[strlen(str) - 1] != ']') && + (strlen(ctx1) > 0)) { /* Restore the comma erased by strtok_r(). */ str[strlen(str)] = ','; /* Parse until next comma. */ -- 2.19.1 ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [dpdk-stable] [dpdk-dev] [PATCH] kvargs: fix a heap-buffer-overflow when detect list 2020-03-19 4:38 [dpdk-stable] [dpdk-dev] [PATCH] kvargs: fix a heap-buffer-overflow when detect list wangyunjian @ 2020-03-25 16:31 ` Olivier Matz 2020-03-26 10:01 ` [dpdk-stable] 答复: " wangyunjian 2020-03-27 8:09 ` [dpdk-stable] [PATCH v2 0/3] kvargs fixes Olivier Matz 1 sibling, 1 reply; 9+ messages in thread From: Olivier Matz @ 2020-03-25 16:31 UTC (permalink / raw) To: wangyunjian; +Cc: dev, jerry.lilijun, xudingke, stable Hi, On Thu, Mar 19, 2020 at 12:38:00PM +0800, wangyunjian wrote: > From: Yunjian Wang <wangyunjian@huawei.com> > > When an input params'value is '[', leading to the 'str' over read > or heap-buffer-overflow. So we can check the 'ctx1' length to avoid > this problem. > > Fixes: cc0579f2339a ("kvargs: support list value") > Cc: stable@dpdk.org > > Signed-off-by: Yunjian Wang <wangyunjian@huawei.com> > --- > lib/librte_kvargs/rte_kvargs.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/lib/librte_kvargs/rte_kvargs.c b/lib/librte_kvargs/rte_kvargs.c > index d39332999..a1144b90b 100644 > --- a/lib/librte_kvargs/rte_kvargs.c > +++ b/lib/librte_kvargs/rte_kvargs.c > @@ -48,7 +48,8 @@ rte_kvargs_tokenize(struct rte_kvargs *kvlist, const char *params) > str = kvlist->pairs[i].value; > if (str[0] == '[') { > /* Find the end of the list. */ > - while (str[strlen(str) - 1] != ']') { > + while ((str[strlen(str) - 1] != ']') && > + (strlen(ctx1) > 0)) { > /* Restore the comma erased by strtok_r(). */ > str[strlen(str)] = ','; > /* Parse until next comma. */ I would prefer to keep the while condition as is, like this: /* Restore the comma erased by strtok_r(). */ + if (ctx1[0] == '\0') + return -1; /* no closing bracket */ str[strlen(str)] = ','; It avoids an uneeded call to strlen(), and ensure we are returning an error in that case. I also wanted to add a test case, but I realized that kvargs unit tests are broken now. I have done 2 patches to fix them. Do you mind if I send a patchset with these 2 patches + your patch (keeping your signed-off and doing the modification described above), to ensure there is no implicit dependency? Thanks, Olivier ^ permalink raw reply [flat|nested] 9+ messages in thread
* [dpdk-stable] 答复: [dpdk-dev] [PATCH] kvargs: fix a heap-buffer-overflow when detect list 2020-03-25 16:31 ` Olivier Matz @ 2020-03-26 10:01 ` wangyunjian 0 siblings, 0 replies; 9+ messages in thread From: wangyunjian @ 2020-03-26 10:01 UTC (permalink / raw) To: Olivier Matz; +Cc: dev, Lilijun (Jerry), xudingke, stable > -----邮件原件----- > 发件人: Olivier Matz [mailto:olivier.matz@6wind.com] > 发送时间: 2020年3月26日 0:32 > 收件人: wangyunjian <wangyunjian@huawei.com> > 抄送: dev@dpdk.org; Lilijun (Jerry) <jerry.lilijun@huawei.com>; xudingke > <xudingke@huawei.com>; stable@dpdk.org > 主题: Re: [dpdk-dev] [PATCH] kvargs: fix a heap-buffer-overflow when detect > list > > Hi, > > On Thu, Mar 19, 2020 at 12:38:00PM +0800, wangyunjian wrote: > > From: Yunjian Wang <wangyunjian@huawei.com> > > > > When an input params'value is '[', leading to the 'str' over read or > > heap-buffer-overflow. So we can check the 'ctx1' length to avoid this > > problem. > > > > Fixes: cc0579f2339a ("kvargs: support list value") > > Cc: stable@dpdk.org > > > > Signed-off-by: Yunjian Wang <wangyunjian@huawei.com> > > --- > > lib/librte_kvargs/rte_kvargs.c | 3 ++- > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > > diff --git a/lib/librte_kvargs/rte_kvargs.c > > b/lib/librte_kvargs/rte_kvargs.c index d39332999..a1144b90b 100644 > > --- a/lib/librte_kvargs/rte_kvargs.c > > +++ b/lib/librte_kvargs/rte_kvargs.c > > @@ -48,7 +48,8 @@ rte_kvargs_tokenize(struct rte_kvargs *kvlist, const > char *params) > > str = kvlist->pairs[i].value; > > if (str[0] == '[') { > > /* Find the end of the list. */ > > - while (str[strlen(str) - 1] != ']') { > > + while ((str[strlen(str) - 1] != ']') && > > + (strlen(ctx1) > 0)) { > > /* Restore the comma erased by strtok_r(). */ > > str[strlen(str)] = ','; > > /* Parse until next comma. */ > > I would prefer to keep the while condition as is, like this: > > /* Restore the comma erased by > strtok_r(). */ > + if (ctx1[0] == '\0') > + return -1; /* no closing > bracket > + */ > str[strlen(str)] = ','; > > It avoids an uneeded call to strlen(), and ensure we are returning an error in > that case. > > I also wanted to add a test case, but I realized that kvargs unit tests are broken > now. I have done 2 patches to fix them. > > Do you mind if I send a patchset with these 2 patches + your patch (keeping > your signed-off and doing the modification described above), to ensure there is > no implicit dependency? No, I don’t mind. I agree with your view. Thanks Yunjian > > Thanks, > Olivier ^ permalink raw reply [flat|nested] 9+ messages in thread
* [dpdk-stable] [PATCH v2 0/3] kvargs fixes 2020-03-19 4:38 [dpdk-stable] [dpdk-dev] [PATCH] kvargs: fix a heap-buffer-overflow when detect list wangyunjian 2020-03-25 16:31 ` Olivier Matz @ 2020-03-27 8:09 ` Olivier Matz 2020-03-27 8:09 ` [dpdk-stable] [PATCH v2 1/3] tests/kvargs: fix to consider empty elements as valid Olivier Matz ` (3 more replies) 1 sibling, 4 replies; 9+ messages in thread From: Olivier Matz @ 2020-03-27 8:09 UTC (permalink / raw) To: wangyunjian; +Cc: dev, jerry.lilijun, olivier.matz, stable, xudingke This patchset fixes a buffer overflow in kvargs when parsing an invalid string, and fixes the kvargs unit tests. Olivier Matz (2): tests/kvargs: fix to consider empty elements as valid tests/kvargs: fix check of invalid cases Yunjian Wang (1): kvargs: fix a heap buffer overflow when parsing list app/test/test_kvargs.c | 40 +++++++++++++++++++++++++++++++--- lib/librte_kvargs/rte_kvargs.c | 2 ++ 2 files changed, 39 insertions(+), 3 deletions(-) -- 2.25.1 ^ permalink raw reply [flat|nested] 9+ messages in thread
* [dpdk-stable] [PATCH v2 1/3] tests/kvargs: fix to consider empty elements as valid 2020-03-27 8:09 ` [dpdk-stable] [PATCH v2 0/3] kvargs fixes Olivier Matz @ 2020-03-27 8:09 ` Olivier Matz 2020-03-27 8:09 ` [dpdk-stable] [PATCH v2 2/3] tests/kvargs: fix check of invalid cases Olivier Matz ` (2 subsequent siblings) 3 siblings, 0 replies; 9+ messages in thread From: Olivier Matz @ 2020-03-27 8:09 UTC (permalink / raw) To: wangyunjian; +Cc: dev, jerry.lilijun, olivier.matz, stable, xudingke Empty elements passed to the kvargs parser are silently ignored. Examples of valid strings: "" "," ",,,,,,key=val,,,," Fix the unit tests to conform to this behavior. Note: the test_invalid_kvargs() function is currently broken, which explain why the tests were not failing. It is fixed in the next commit. Fixes: e495f5435524 ("kvargs: add test case in app/test") Cc: stable@dpdk.org Signed-off-by: Olivier Matz <olivier.matz@6wind.com> --- app/test/test_kvargs.c | 37 +++++++++++++++++++++++++++++++++++-- 1 file changed, 35 insertions(+), 2 deletions(-) diff --git a/app/test/test_kvargs.c b/app/test/test_kvargs.c index a42056f36..d3db88a57 100644 --- a/app/test/test_kvargs.c +++ b/app/test/test_kvargs.c @@ -142,7 +142,7 @@ static int test_valid_kvargs(void) valid_keys = valid_keys_list; kvlist = rte_kvargs_parse(args, valid_keys); if (kvlist == NULL) { - printf("rte_kvargs_parse() error"); + printf("rte_kvargs_parse() error\n"); goto fail; } if (strcmp(kvlist->pairs[0].value, "[0,1]") != 0) { @@ -157,6 +157,40 @@ static int test_valid_kvargs(void) } rte_kvargs_free(kvlist); + /* test using empty string (it is valid) */ + args = ""; + kvlist = rte_kvargs_parse(args, NULL); + if (kvlist == NULL) { + printf("rte_kvargs_parse() error\n"); + goto fail; + } + if (rte_kvargs_count(kvlist, NULL) != 0) { + printf("invalid count value\n"); + goto fail; + } + rte_kvargs_free(kvlist); + + /* test using empty elements (it is valid) */ + args = "foo=1,,check=value2,,"; + kvlist = rte_kvargs_parse(args, NULL); + if (kvlist == NULL) { + printf("rte_kvargs_parse() error\n"); + goto fail; + } + if (rte_kvargs_count(kvlist, NULL) != 2) { + printf("invalid count value\n"); + goto fail; + } + if (rte_kvargs_count(kvlist, "foo") != 1) { + printf("invalid count value for 'foo'\n"); + goto fail; + } + if (rte_kvargs_count(kvlist, "check") != 1) { + printf("invalid count value for 'check'\n"); + goto fail; + } + rte_kvargs_free(kvlist); + return 0; fail: @@ -179,7 +213,6 @@ static int test_invalid_kvargs(void) const char *args_list[] = { "wrong-key=x", /* key not in valid_keys_list */ "foo=1,foo=", /* empty value */ - "foo=1,,foo=2", /* empty key/value */ "foo=1,foo", /* no value */ "foo=1,=2", /* no key */ "foo=[1,2", /* no closing bracket in value */ -- 2.25.1 ^ permalink raw reply [flat|nested] 9+ messages in thread
* [dpdk-stable] [PATCH v2 2/3] tests/kvargs: fix check of invalid cases 2020-03-27 8:09 ` [dpdk-stable] [PATCH v2 0/3] kvargs fixes Olivier Matz 2020-03-27 8:09 ` [dpdk-stable] [PATCH v2 1/3] tests/kvargs: fix to consider empty elements as valid Olivier Matz @ 2020-03-27 8:09 ` Olivier Matz 2020-03-27 8:09 ` [dpdk-stable] [PATCH v2 3/3] kvargs: fix a heap buffer overflow when parsing list Olivier Matz 2020-03-27 15:16 ` [dpdk-stable] [PATCH v2 0/3] kvargs fixes David Marchand 3 siblings, 0 replies; 9+ messages in thread From: Olivier Matz @ 2020-03-27 8:09 UTC (permalink / raw) To: wangyunjian; +Cc: dev, jerry.lilijun, olivier.matz, stable, xudingke The return was not properly placed, and only the first test case was validated. Fixes: e495f5435524 ("kvargs: add test case in app/test") Cc: stable@dpdk.org Signed-off-by: Olivier Matz <olivier.matz@6wind.com> --- app/test/test_kvargs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/test/test_kvargs.c b/app/test/test_kvargs.c index d3db88a57..f823b771f 100644 --- a/app/test/test_kvargs.c +++ b/app/test/test_kvargs.c @@ -230,8 +230,8 @@ static int test_invalid_kvargs(void) rte_kvargs_free(kvlist); goto fail; } - return 0; } + return 0; fail: printf("while processing <%s>", *args); -- 2.25.1 ^ permalink raw reply [flat|nested] 9+ messages in thread
* [dpdk-stable] [PATCH v2 3/3] kvargs: fix a heap buffer overflow when parsing list 2020-03-27 8:09 ` [dpdk-stable] [PATCH v2 0/3] kvargs fixes Olivier Matz 2020-03-27 8:09 ` [dpdk-stable] [PATCH v2 1/3] tests/kvargs: fix to consider empty elements as valid Olivier Matz 2020-03-27 8:09 ` [dpdk-stable] [PATCH v2 2/3] tests/kvargs: fix check of invalid cases Olivier Matz @ 2020-03-27 8:09 ` Olivier Matz 2020-03-27 15:16 ` [dpdk-stable] [PATCH v2 0/3] kvargs fixes David Marchand 3 siblings, 0 replies; 9+ messages in thread From: Olivier Matz @ 2020-03-27 8:09 UTC (permalink / raw) To: wangyunjian; +Cc: dev, jerry.lilijun, olivier.matz, stable, xudingke From: Yunjian Wang <wangyunjian@huawei.com> When the input string is "key=[", the ending '\0' is replaced by a ',', leading to a heap buffer overflow. Check the content of ctx1 to avoid this problem. Fixes: cc0579f2339a ("kvargs: support list value") Cc: stable@dpdk.org Signed-off-by: Yunjian Wang <wangyunjian@huawei.com> Signed-off-by: Olivier Matz <olivier.matz@6wind.com> --- app/test/test_kvargs.c | 1 + lib/librte_kvargs/rte_kvargs.c | 2 ++ 2 files changed, 3 insertions(+) diff --git a/app/test/test_kvargs.c b/app/test/test_kvargs.c index f823b771f..2a2dae43a 100644 --- a/app/test/test_kvargs.c +++ b/app/test/test_kvargs.c @@ -217,6 +217,7 @@ static int test_invalid_kvargs(void) "foo=1,=2", /* no key */ "foo=[1,2", /* no closing bracket in value */ ",=", /* also test with a smiley */ + "foo=[", /* no value in list and no closing bracket */ NULL }; const char **args; const char *valid_keys_list[] = { "foo", "check", NULL }; diff --git a/lib/librte_kvargs/rte_kvargs.c b/lib/librte_kvargs/rte_kvargs.c index d39332999..1d815dcd9 100644 --- a/lib/librte_kvargs/rte_kvargs.c +++ b/lib/librte_kvargs/rte_kvargs.c @@ -50,6 +50,8 @@ rte_kvargs_tokenize(struct rte_kvargs *kvlist, const char *params) /* Find the end of the list. */ while (str[strlen(str) - 1] != ']') { /* Restore the comma erased by strtok_r(). */ + if (ctx1[0] == '\0') + return -1; /* no closing bracket */ str[strlen(str)] = ','; /* Parse until next comma. */ str = strtok_r(NULL, RTE_KVARGS_PAIRS_DELIM, &ctx1); -- 2.25.1 ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [dpdk-stable] [PATCH v2 0/3] kvargs fixes 2020-03-27 8:09 ` [dpdk-stable] [PATCH v2 0/3] kvargs fixes Olivier Matz ` (2 preceding siblings ...) 2020-03-27 8:09 ` [dpdk-stable] [PATCH v2 3/3] kvargs: fix a heap buffer overflow when parsing list Olivier Matz @ 2020-03-27 15:16 ` David Marchand 2020-03-27 17:12 ` David Marchand 3 siblings, 1 reply; 9+ messages in thread From: David Marchand @ 2020-03-27 15:16 UTC (permalink / raw) To: Olivier Matz; +Cc: wangyunjian, dev, Lilijun (Jerry), dpdk stable, xudingke On Fri, Mar 27, 2020 at 9:10 AM Olivier Matz <olivier.matz@6wind.com> wrote: > > This patchset fixes a buffer overflow in kvargs when parsing an invalid > string, and fixes the kvargs unit tests. > > Olivier Matz (2): > tests/kvargs: fix to consider empty elements as valid > tests/kvargs: fix check of invalid cases > > Yunjian Wang (1): > kvargs: fix a heap buffer overflow when parsing list For the series, Reviewed-by: David Marchand <david.marchand@redhat.com> -- David Marchand ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [dpdk-stable] [PATCH v2 0/3] kvargs fixes 2020-03-27 15:16 ` [dpdk-stable] [PATCH v2 0/3] kvargs fixes David Marchand @ 2020-03-27 17:12 ` David Marchand 0 siblings, 0 replies; 9+ messages in thread From: David Marchand @ 2020-03-27 17:12 UTC (permalink / raw) To: Olivier Matz; +Cc: wangyunjian, dev, Lilijun (Jerry), dpdk stable, xudingke On Fri, Mar 27, 2020 at 4:16 PM David Marchand <david.marchand@redhat.com> wrote: > > On Fri, Mar 27, 2020 at 9:10 AM Olivier Matz <olivier.matz@6wind.com> wrote: > > > > This patchset fixes a buffer overflow in kvargs when parsing an invalid > > string, and fixes the kvargs unit tests. > > > > Olivier Matz (2): > > tests/kvargs: fix to consider empty elements as valid > > tests/kvargs: fix check of invalid cases > > > > Yunjian Wang (1): > > kvargs: fix a heap buffer overflow when parsing list > > For the series, > Reviewed-by: David Marchand <david.marchand@redhat.com> Applied, thanks. -- David Marchand ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2020-03-27 17:12 UTC | newest] Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-03-19 4:38 [dpdk-stable] [dpdk-dev] [PATCH] kvargs: fix a heap-buffer-overflow when detect list wangyunjian 2020-03-25 16:31 ` Olivier Matz 2020-03-26 10:01 ` [dpdk-stable] 答复: " wangyunjian 2020-03-27 8:09 ` [dpdk-stable] [PATCH v2 0/3] kvargs fixes Olivier Matz 2020-03-27 8:09 ` [dpdk-stable] [PATCH v2 1/3] tests/kvargs: fix to consider empty elements as valid Olivier Matz 2020-03-27 8:09 ` [dpdk-stable] [PATCH v2 2/3] tests/kvargs: fix check of invalid cases Olivier Matz 2020-03-27 8:09 ` [dpdk-stable] [PATCH v2 3/3] kvargs: fix a heap buffer overflow when parsing list Olivier Matz 2020-03-27 15:16 ` [dpdk-stable] [PATCH v2 0/3] kvargs fixes David Marchand 2020-03-27 17:12 ` David Marchand
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).