From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wg0-x232.google.com (mail-wg0-x232.google.com [IPv6:2a00:1450:400c:c00::232]) by dpdk.org (Postfix) with ESMTP id 2C0FF256 for ; Thu, 2 May 2013 10:25:10 +0200 (CEST) Received: by mail-wg0-f50.google.com with SMTP id m15so295685wgh.17 for ; Thu, 02 May 2013 01:24:18 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:message-id:date:from:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type:x-gm-message-state; bh=LbWcongyQ8muPb2EYjgLxUepUzs763lVU3BCWmL5kaA=; b=PttDqcflgyJVfFqeugapdR5/YyFvLseGK53AjycMbaZ1MwZ0a7QvjE7Y/S8mkL1QyR Z9FWGwg3fBpkrbb2V+6GLBLahA9vhFQa5IwIvQUO/g7d/KErQUYTihPU+i+LdE2o06Bq ujV3XkQKva1u/ZTGUgoYki3QPiCZ7H0lYMXccbEkt7j2fH0t5vY3I1Kryhwe+hY6CjRJ z8M4fi7MqL3GLj8TbK++386RDWaEU39lcWN1uF9AS236blisETepHdii+F4Xb9n5hV8k Y8UqgUg8CNLzRbeh6cGYZS6BjXakE9Zw80FFLohIb23gwl1RpyHKqEnKlS/N8YM3XZ7a 27Dg== X-Received: by 10.180.105.195 with SMTP id go3mr33299431wib.2.1367483058271; Thu, 02 May 2013 01:24:18 -0700 (PDT) Received: from [10.16.0.195] (6wind.net2.nerim.net. [213.41.180.237]) by mx.google.com with ESMTPSA id ge7sm36702125wic.0.2013.05.02.01.24.16 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 02 May 2013 01:24:16 -0700 (PDT) Message-ID: <518222B1.9050003@6wind.com> Date: Thu, 02 May 2013 10:24:17 +0200 From: Olivier MATZ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.6esrpre) Gecko/20120817 Icedove/10.0.6 MIME-Version: 1.0 To: "Han, Dongsu" References: In-Reply-To: Content-Type: multipart/mixed; boundary="------------080209020304030004020002" X-Gm-Message-State: ALoCoQl6Ap/RRMZpK3ka38Fzf/i5/PevGHXbq0twkzejRTpdJHDrmn6YRmBsR4hSXcUEQm7NdKyV Cc: dev@dpdk.org Subject: Re: [dpdk-dev] [PATCH] fixed buffer overrun in handling log messages X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches and discussions about DPDK List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 May 2013 08:25:10 -0000 This is a multi-part message in MIME format. --------------080209020304030004020002 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Hi, Thank you for this patch. You are right, the '\0' is written outside the bounds of the buffer. I would suggest a minor modification to your patch, please see attachment. Regards, Olivier On 05/01/2013 08:50 PM, Han, Dongsu wrote: > I'm sending a proposed patch to fix the buffer overrun problem in > handling log messages. > > Dongsu Han > > > _______________________________________________ > dev mailing list > dev@dpdk.org > http://dpdk.org/ml/listinfo/dev -- Olivier MATZ Tel +33-1-39-30-92-57 www.6wind.com ================================================================================ This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and contains information that is confidential and proprietary to 6WIND. All unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Ce courriel ainsi que toutes les pièces jointes, est uniquement destiné à son ou ses destinataires. Il contient des informations confidentielles qui sont la propriété de 6WIND. Toute révélation, distribution ou copie des informations qu'il contient est strictement interdite. Si vous avez reçu ce message par erreur, veuillez immédiatement le signaler à l'émetteur et détruire toutes les données reçues ================================================================================ --------------080209020304030004020002 Content-Type: text/x-patch; name="0001-eal-log-fix-memory-corruption.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0001-eal-log-fix-memory-corruption.patch" >>From e14f9b05dbc8aca332fa6532382df6a70ff6da25 Mon Sep 17 00:00:00 2001 From: Dongsu Han Date: Thu, 2 May 2013 10:14:58 +0200 Subject: eal/log: fix memory corruption The '\0' is written outside the bounds of the log buffer, which can result in memory corruption or display issues with log messages. Use a new constant LOG_BUF_SIZE to store the effective size of the buffer in struct log_history. Acked-by: Olivier Matz Signed-off-by: Dongsu Han --- lib/librte_eal/common/eal_common_log.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/librte_eal/common/eal_common_log.c b/lib/librte_eal/common/eal_common_log.c index 1362109..21970c5 100644 --- a/lib/librte_eal/common/eal_common_log.c +++ b/lib/librte_eal/common/eal_common_log.c @@ -64,6 +64,7 @@ #include "eal_private.h" #define LOG_ELT_SIZE 2048 +#define LOG_BUF_SIZE (LOG_ELT_SIZE - sizeof(struct log_history)) #define LOG_HISTORY_MP_NAME "log_history" @@ -196,7 +197,7 @@ rte_log_add_in_history(const char *buf, size_t size) } /* not enough room for msg, buffer go back in mempool */ - if (size >= (LOG_ELT_SIZE - sizeof(*hist_buf))) { + if (size >= LOG_BUF_SIZE) { rte_mempool_mp_put(log_history_mp, hist_buf); rte_spinlock_unlock(&log_list_lock); return -ENOBUFS; @@ -204,7 +205,7 @@ rte_log_add_in_history(const char *buf, size_t size) /* add in history */ memcpy(hist_buf->buf, buf, size); - hist_buf->buf[LOG_ELT_SIZE-1] = '\0'; + hist_buf->buf[LOG_BUF_SIZE-1] = '\0'; hist_buf->size = size; STAILQ_INSERT_TAIL(&log_history, hist_buf, next); rte_spinlock_unlock(&log_list_lock); -- 1.7.10.4 --------------080209020304030004020002--