From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-bounces@dpdk.org>
Received: from dpdk.org (dpdk.org [92.243.14.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 32F88A0093
	for <public@inbox.dpdk.org>; Tue, 19 May 2020 15:00:05 +0200 (CEST)
Received: from [92.243.14.124] (localhost [127.0.0.1])
	by dpdk.org (Postfix) with ESMTP id 217E01D626;
	Tue, 19 May 2020 15:00:05 +0200 (CEST)
Received: from mail-wr1-f47.google.com (mail-wr1-f47.google.com
 [209.85.221.47]) by dpdk.org (Postfix) with ESMTP id 790891D621
 for <stable@dpdk.org>; Tue, 19 May 2020 15:00:04 +0200 (CEST)
Received: by mail-wr1-f47.google.com with SMTP id j5so15856509wrq.2
 for <stable@dpdk.org>; Tue, 19 May 2020 06:00:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=0i+FkmZGkLz940jqhYU25xgBBe0wh73FH02ocdPVHU4=;
 b=dg5h3KCNeuvcR1bAueRLbO+ge2sptL56/KHwFWKM9pqvSz8rCZ8NXH5qjQUErrNV1w
 NjYeFFh4szeR4z4f3VRqs2fy7Q/6MVy4aSHubEUrdlu4/YX5ET5opv6VzJku1r6PjJNS
 fkZt9kp2lUHWp5HcQSqPJ17FVTaThuM1okb3p1vFGFkNysEeAR/WGfSlgdk4O4Wqs1oB
 nBeyzDObL7rnzBmCsLk210+6ENvE0F/v0mZo1bRVOpSCi+oZNNl4Y6HGMemSurdgh0iu
 K3RKnXDX7Kmg+LUQ7ecoCJAwCgNWiE3v3uoxmsqxckLU3sjA9weK5vS22sSGc0b2+STZ
 u0aA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=0i+FkmZGkLz940jqhYU25xgBBe0wh73FH02ocdPVHU4=;
 b=EfRdRzxSa+TQaH17flVg+k8znkZ37U2gy4PQICKntQ3tVlUMY9uxzIOjLhzItKMW+h
 ran6ds2YavjT1GAFmKXHlBic3gBwZk9sYYjsH5TPxHf3MHXJtGZQwete1Ovdpb0Bl3FO
 uoQlzht+yxzO3ZjasZ6XOrWqipLKY69gss869PjdqN9qPM/LCbjN2pptehJuzhQhMP1b
 l4KMRrODKuWIGuQ2GQgSOf9T945kkynQb4UyP2zKLWYU/ENVv6O0gDUUJTk8pS2wY5du
 C1s0ExvfXZ81ggjdswHFxy2xnYwVcd5onj4rGclcG4QEnFVMmhIK7asvTBPT3KjnmZkJ
 fmRg==
X-Gm-Message-State: AOAM532ltWIPBbC8PxeU1op9OUnEs49CrIPyc6I3uHA8aAq/moX+1Mae
 ULEWEF7dRrp4RooN/u/B17d/8GgxK7Sj1tXG
X-Google-Smtp-Source: ABdhPJy2iFfWVCvL9zxfFoENT2opIz9VRLE2ht/Dhq7uJazPRC5BVmM9wXFbWnzGPI86TvQRXYZutw==
X-Received: by 2002:adf:f487:: with SMTP id l7mr24562718wro.381.1589893204167; 
 Tue, 19 May 2020 06:00:04 -0700 (PDT)
Received: from localhost ([88.98.246.218])
 by smtp.gmail.com with ESMTPSA id q5sm22209247wra.36.2020.05.19.06.00.03
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 19 May 2020 06:00:03 -0700 (PDT)
From: luca.boccassi@gmail.com
To: Yunjian Wang <wangyunjian@huawei.com>
Cc: Olivier Matz <olivier.matz@6wind.com>,
 David Marchand <david.marchand@redhat.com>, dpdk stable <stable@dpdk.org>
Date: Tue, 19 May 2020 13:54:06 +0100
Message-Id: <20200519125804.104349-56-luca.boccassi@gmail.com>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20200519125804.104349-1-luca.boccassi@gmail.com>
References: <20200519125804.104349-1-luca.boccassi@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Subject: [dpdk-stable] patch 'kvargs: fix buffer overflow when parsing list'
	has been queued to stable release 19.11.3
X-BeenThere: stable@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: patches for DPDK stable branches <stable.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/stable>,
 <mailto:stable-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/stable/>
List-Post: <mailto:stable@dpdk.org>
List-Help: <mailto:stable-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/stable>,
 <mailto:stable-request@dpdk.org?subject=subscribe>
Errors-To: stable-bounces@dpdk.org
Sender: "stable" <stable-bounces@dpdk.org>

Hi,

FYI, your patch has been queued to stable release 19.11.3

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 05/21/20. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Thanks.

Luca Boccassi

---
>From c285902e7baf8149b8d028601222ff68ddca768b Mon Sep 17 00:00:00 2001
From: Yunjian Wang <wangyunjian@huawei.com>
Date: Fri, 27 Mar 2020 09:09:55 +0100
Subject: [PATCH] kvargs: fix buffer overflow when parsing list

[ upstream commit ffcf831454a93c1da54299d4066dd03de6712a9b ]

When the input string is "key=[", the ending '\0' is replaced
by a ',', leading to a heap buffer overflow.

Check the content of ctx1 to avoid this problem.

Fixes: cc0579f2339a ("kvargs: support list value")

Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
Signed-off-by: Olivier Matz <olivier.matz@6wind.com>
Reviewed-by: David Marchand <david.marchand@redhat.com>
---
 app/test/test_kvargs.c         | 1 +
 lib/librte_kvargs/rte_kvargs.c | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/app/test/test_kvargs.c b/app/test/test_kvargs.c
index f823b771fb..2a2dae43a0 100644
--- a/app/test/test_kvargs.c
+++ b/app/test/test_kvargs.c
@@ -217,6 +217,7 @@ static int test_invalid_kvargs(void)
 		"foo=1,=2",        /* no key */
 		"foo=[1,2",        /* no closing bracket in value */
 		",=",              /* also test with a smiley */
+		"foo=[",           /* no value in list and no closing bracket */
 		NULL };
 	const char **args;
 	const char *valid_keys_list[] = { "foo", "check", NULL };
diff --git a/lib/librte_kvargs/rte_kvargs.c b/lib/librte_kvargs/rte_kvargs.c
index d39332999e..1d815dcd96 100644
--- a/lib/librte_kvargs/rte_kvargs.c
+++ b/lib/librte_kvargs/rte_kvargs.c
@@ -50,6 +50,8 @@ rte_kvargs_tokenize(struct rte_kvargs *kvlist, const char *params)
 			/* Find the end of the list. */
 			while (str[strlen(str) - 1] != ']') {
 				/* Restore the comma erased by strtok_r(). */
+				if (ctx1[0] == '\0')
+					return -1; /* no closing bracket */
 				str[strlen(str)] = ',';
 				/* Parse until next comma. */
 				str = strtok_r(NULL, RTE_KVARGS_PAIRS_DELIM, &ctx1);
-- 
2.20.1

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2020-05-19 13:56:21.124617732 +0100
+++ 0056-kvargs-fix-buffer-overflow-when-parsing-list.patch	2020-05-19 13:56:18.287503043 +0100
@@ -1,15 +1,16 @@
-From ffcf831454a93c1da54299d4066dd03de6712a9b Mon Sep 17 00:00:00 2001
+From c285902e7baf8149b8d028601222ff68ddca768b Mon Sep 17 00:00:00 2001
 From: Yunjian Wang <wangyunjian@huawei.com>
 Date: Fri, 27 Mar 2020 09:09:55 +0100
 Subject: [PATCH] kvargs: fix buffer overflow when parsing list
 
+[ upstream commit ffcf831454a93c1da54299d4066dd03de6712a9b ]
+
 When the input string is "key=[", the ending '\0' is replaced
 by a ',', leading to a heap buffer overflow.
 
 Check the content of ctx1 to avoid this problem.
 
 Fixes: cc0579f2339a ("kvargs: support list value")
-Cc: stable@dpdk.org
 
 Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
 Signed-off-by: Olivier Matz <olivier.matz@6wind.com>