These two patches fix defects found by coverity scan. Main changes from v2: - Fix coding style issue Wei Huang (2): raw/ifpga: terminate string filled by readlink with null raw/ifpga: use trusted buffer to free drivers/raw/ifpga/ifpga_rawdev.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) -- 2.7.3
readlink() does not terminate string, add a null character at the end of the string if readlink() succeeds. Fixes: 9c006c45d0c5 ("raw/ifpga: scan PCIe BDF device tree") Signed-off-by: Wei Huang <wei.huang@intel.com> --- v2: fix coding style issue --- drivers/raw/ifpga/ifpga_rawdev.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/raw/ifpga/ifpga_rawdev.c b/drivers/raw/ifpga/ifpga_rawdev.c index 0385514..f9de167 100644 --- a/drivers/raw/ifpga/ifpga_rawdev.c +++ b/drivers/raw/ifpga/ifpga_rawdev.c @@ -230,8 +230,9 @@ static int ifpga_rawdev_fill_info(struct ifpga_rawdev *ifpga_dev, memset(link, 0, sizeof(link)); memset(link1, 0, sizeof(link1)); ret = readlink(path, link, (sizeof(link)-1)); - if (ret == -1) + if ((ret < 0) || ((unsigned int)ret > (sizeof(link)-1))) return -1; + link[ret] = 0; /* terminate string with null character */ strlcpy(link1, link, sizeof(link1)); memset(ifpga_dev->parent_bdf, 0, 16); point = strlen(link); -- 2.7.3
In rte_fpga_do_pr, calling function read() may taints argument buffer which turn to an untrusted value as argumen of rte_free(). Fixes: ef1e8ede3da5 ("raw/ifpga: add Intel FPGA bus rawdev driver") Signed-off-by: Wei Huang <wei.huang@intel.com> --- v2: add fixes information to log --- drivers/raw/ifpga/ifpga_rawdev.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/raw/ifpga/ifpga_rawdev.c b/drivers/raw/ifpga/ifpga_rawdev.c index f9de167..27129b1 100644 --- a/drivers/raw/ifpga/ifpga_rawdev.c +++ b/drivers/raw/ifpga/ifpga_rawdev.c @@ -786,7 +786,7 @@ rte_fpga_do_pr(struct rte_rawdev *rawdev, int port_id, int file_fd; int ret = 0; ssize_t buffer_size; - void *buffer; + void *buffer, *buf_to_free; u64 pr_error; if (!file_name) @@ -818,6 +818,7 @@ rte_fpga_do_pr(struct rte_rawdev *rawdev, int port_id, ret = -ENOMEM; goto close_fd; } + buf_to_free = buffer; /*read the raw data*/ if (buffer_size != read(file_fd, (void *)buffer, buffer_size)) { @@ -835,8 +836,8 @@ rte_fpga_do_pr(struct rte_rawdev *rawdev, int port_id, } free_buffer: - if (buffer) - rte_free(buffer); + if (buf_to_free) + rte_free(buf_to_free); close_fd: close(file_fd); file_fd = 0; -- 2.7.3
> -----Original Message----- > From: dev <dev-bounces@dpdk.org> On Behalf Of Wei Huang > Sent: 2020年10月30日 8:22 > To: dev@dpdk.org; Xu, Rosen <rosen.xu@intel.com>; Zhang, Qi Z > <qi.z.zhang@intel.com> > Cc: Huang, Wei <wei.huang@intel.com> > Subject: [dpdk-dev] [PATCH v2 1/2] raw/ifpga: terminate string filled by > readlink with null > > readlink() does not terminate string, add a null character at the end of the > string if readlink() succeeds. > > Fixes: 9c006c45d0c5 ("raw/ifpga: scan PCIe BDF device tree") It is better add Coverity issue number , like "Coverity issue: xxxx ". Missing “Cc: stable@dpdk.org” > > Signed-off-by: Wei Huang <wei.huang@intel.com> > --- > v2: fix coding style issue > --- > drivers/raw/ifpga/ifpga_rawdev.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/raw/ifpga/ifpga_rawdev.c > b/drivers/raw/ifpga/ifpga_rawdev.c > index 0385514..f9de167 100644 > --- a/drivers/raw/ifpga/ifpga_rawdev.c > +++ b/drivers/raw/ifpga/ifpga_rawdev.c > @@ -230,8 +230,9 @@ static int ifpga_rawdev_fill_info(struct ifpga_rawdev > *ifpga_dev, > memset(link, 0, sizeof(link)); > memset(link1, 0, sizeof(link1)); > ret = readlink(path, link, (sizeof(link)-1)); > - if (ret == -1) > + if ((ret < 0) || ((unsigned int)ret > (sizeof(link)-1))) > return -1; > + link[ret] = 0; /* terminate string with null character */ link[ret] = '\0'; > strlcpy(link1, link, sizeof(link1)); > memset(ifpga_dev->parent_bdf, 0, 16); > point = strlen(link); > -- > 2.7.3
> -----Original Message----- > From: dev <dev-bounces@dpdk.org> On Behalf Of Wei Huang > Sent: 2020年10月30日 8:22 > To: dev@dpdk.org; Xu, Rosen <rosen.xu@intel.com>; Zhang, Qi Z > <qi.z.zhang@intel.com> > Cc: Huang, Wei <wei.huang@intel.com> > Subject: [dpdk-dev] [PATCH v2 2/2] raw/ifpga: use trusted buffer to free > > In rte_fpga_do_pr, calling function read() may taints argument buffer which > turn to an untrusted value as argumen of rte_free(). > > Fixes: ef1e8ede3da5 ("raw/ifpga: add Intel FPGA bus rawdev driver") It is better add Coverity issue number , like "Coverity issue: xxxx ". Missing “Cc: stable@dpdk.org”. > > Signed-off-by: Wei Huang <wei.huang@intel.com> > --- > v2: add fixes information to log > --- > drivers/raw/ifpga/ifpga_rawdev.c | 7 ++++--- > 1 file changed, 4 insertions(+), 3 deletions(-) > > diff --git a/drivers/raw/ifpga/ifpga_rawdev.c > b/drivers/raw/ifpga/ifpga_rawdev.c > index f9de167..27129b1 100644 > --- a/drivers/raw/ifpga/ifpga_rawdev.c > +++ b/drivers/raw/ifpga/ifpga_rawdev.c > @@ -786,7 +786,7 @@ rte_fpga_do_pr(struct rte_rawdev *rawdev, int > port_id, > int file_fd; > int ret = 0; > ssize_t buffer_size; > - void *buffer; > + void *buffer, *buf_to_free; > u64 pr_error; > > if (!file_name) > @@ -818,6 +818,7 @@ rte_fpga_do_pr(struct rte_rawdev *rawdev, int > port_id, > ret = -ENOMEM; > goto close_fd; > } > + buf_to_free = buffer; > > /*read the raw data*/ > if (buffer_size != read(file_fd, (void *)buffer, buffer_size)) { @@ -835,8 > +836,8 @@ rte_fpga_do_pr(struct rte_rawdev *rawdev, int port_id, > } > > free_buffer: > - if (buffer) > - rte_free(buffer); > + if (buf_to_free) > + rte_free(buf_to_free); > close_fd: > close(file_fd); > file_fd = 0; > -- > 2.7.3
> -----Original Message-----
> From: Huang, Wei <wei.huang@intel.com>
> Sent: Friday, October 30, 2020 8:22 AM
> To: dev@dpdk.org; Xu, Rosen <rosen.xu@intel.com>; Zhang, Qi Z
> <qi.z.zhang@intel.com>
> Cc: Huang, Wei <wei.huang@intel.com>
> Subject: [PATCH v2 0/2] raw/ifpga: fix coverity defects
>
> These two patches fix defects found by coverity scan.
>
> Main changes from v2:
> - Fix coding style issue
>
> Wei Huang (2):
> raw/ifpga: terminate string filled by readlink with null
> raw/ifpga: use trusted buffer to free
>
> drivers/raw/ifpga/ifpga_rawdev.c | 10 ++++++----
> 1 file changed, 6 insertions(+), 4 deletions(-)
>
> --
> 2.7.3
Acked-by: Qi Zhang <qi.z.zhang@intel.com>
Applied to dpdk-next-net-intel.
Thanks
Qi