From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.windriver.com (mail.windriver.com [147.11.1.11]) by dpdk.org (Postfix) with ESMTP id 9343D2C60 for ; Thu, 2 Mar 2017 20:29:54 +0100 (CET) Received: from ALA-HCA.corp.ad.wrs.com (ala-hca.corp.ad.wrs.com [147.11.189.40]) by mail.windriver.com (8.15.2/8.15.1) with ESMTPS id v22JTqOJ016184 (version=TLSv1 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 2 Mar 2017 11:29:52 -0800 (PST) Received: from yow-cgts4-lx.wrs.com (128.224.145.137) by ALA-HCA.corp.ad.wrs.com (147.11.189.50) with Microsoft SMTP Server (TLS) id 14.3.294.0; Thu, 2 Mar 2017 11:29:52 -0800 From: Allain Legacy To: , CC: , Date: Thu, 2 Mar 2017 14:29:30 -0500 Message-ID: <1488482971-170522-5-git-send-email-allain.legacy@windriver.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1488482971-170522-1-git-send-email-allain.legacy@windriver.com> References: <1488482971-170522-1-git-send-email-allain.legacy@windriver.com> MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [128.224.145.137] Subject: [dpdk-dev] [PATCH 4/5] cfgfile: use strnlen to constrain memchr search X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Mar 2017 19:29:55 -0000 The call to memchr() uses the absolute length of the string buffer instead of the actual length of the string returned by fgets(). This causes the search to go beyond the '\n' character and find ';' characters in random garbage on the stack. This then causes the 'len' variable to be updated and the subsequent search for the '=' character to potentially find one beyond the first newline character. Since this bug relies on ';' and '=' characters appearing in random places in the 'buffer' variable it is intermittently reproducible at best. Signed-off-by: Allain Legacy --- lib/librte_cfgfile/rte_cfgfile.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/librte_cfgfile/rte_cfgfile.c b/lib/librte_cfgfile/rte_cfgfile.c index 2aba169..28956ea 100644 --- a/lib/librte_cfgfile/rte_cfgfile.c +++ b/lib/librte_cfgfile/rte_cfgfile.c @@ -133,7 +133,8 @@ struct rte_cfgfile * "Check if line too long\n", lineno); goto error1; } - pos = memchr(buffer, RTE_LIBRTE_CFGFILE_COMMENT_CHAR, len); + pos = memchr(buffer, RTE_LIBRTE_CFGFILE_COMMENT_CHAR, + sizeof(buffer)); if (pos != NULL) { *pos = '\0'; len = pos - buffer; -- 1.8.3.1