'recv()' fills the 'buf', later 'strlcpy()' used to copy from this buffer. But as coverity warns 'recv()' doesn't guarantee that 'buf' is null-terminated, but 'strlcpy()' requires it. Enlarge 'buf' size to 'EAL_UEV_MSG_LEN + 1' and ensure the last one can be set to 0 when received buffer size is EAL_UEV_MSG_LEN. CID 375864: Memory - illegal accesses (STRING_NULL) Passing unterminated string "buf" to "dev_uev_parse", which expects a null-terminated string. Coverity issue: 375864 Fixes: 0d0f478d0483 ("eal/linux: add uevent parse and process") Cc: stable@dpdk.org Signed-off-by: Steve Yang <stevex.yang@intel.com> --- lib/eal/linux/eal_dev.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/eal/linux/eal_dev.c b/lib/eal/linux/eal_dev.c index bde55a3d92..851789e85c 100644 --- a/lib/eal/linux/eal_dev.c +++ b/lib/eal/linux/eal_dev.c @@ -231,13 +231,13 @@ dev_uev_handler(__rte_unused void *param) { struct rte_dev_event uevent; int ret; - char buf[EAL_UEV_MSG_LEN]; + char buf[EAL_UEV_MSG_LEN + 1]; struct rte_bus *bus; struct rte_device *dev; const char *busname = ""; memset(&uevent, 0, sizeof(struct rte_dev_event)); - memset(buf, 0, EAL_UEV_MSG_LEN); + memset(buf, 0, EAL_UEV_MSG_LEN + 1); if (rte_intr_fd_get(intr_handle) < 0) return; -- 2.27.0
On 2/23/2022 8:49 AM, Steve Yang wrote:
> 'recv()' fills the 'buf', later 'strlcpy()' used to copy from this buffer.
> But as coverity warns 'recv()' doesn't guarantee that 'buf' is
> null-terminated, but 'strlcpy()' requires it.
>
> Enlarge 'buf' size to 'EAL_UEV_MSG_LEN + 1' and ensure the last one can
> be set to 0 when received buffer size is EAL_UEV_MSG_LEN.
>
> CID 375864: Memory - illegal accesses (STRING_NULL)
> Passing unterminated string "buf" to "dev_uev_parse", which expects
> a null-terminated string.
>
> Coverity issue: 375864
> Fixes: 0d0f478d0483 ("eal/linux: add uevent parse and process")
> Cc: stable@dpdk.org
>
> Signed-off-by: Steve Yang <stevex.yang@intel.com>
Acked-by: Ferruh Yigit <ferruh.yigit@intel.com>
23/02/2022 12:26, Ferruh Yigit:
> On 2/23/2022 8:49 AM, Steve Yang wrote:
> > 'recv()' fills the 'buf', later 'strlcpy()' used to copy from this buffer.
> > But as coverity warns 'recv()' doesn't guarantee that 'buf' is
> > null-terminated, but 'strlcpy()' requires it.
> >
> > Enlarge 'buf' size to 'EAL_UEV_MSG_LEN + 1' and ensure the last one can
> > be set to 0 when received buffer size is EAL_UEV_MSG_LEN.
> >
> > CID 375864: Memory - illegal accesses (STRING_NULL)
> > Passing unterminated string "buf" to "dev_uev_parse", which expects
> > a null-terminated string.
> >
> > Coverity issue: 375864
> > Fixes: 0d0f478d0483 ("eal/linux: add uevent parse and process")
> > Cc: stable@dpdk.org
> >
> > Signed-off-by: Steve Yang <stevex.yang@intel.com>
>
> Acked-by: Ferruh Yigit <ferruh.yigit@intel.com>
Applied, thanks.