From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 2421EA0C46; Tue, 24 Aug 2021 04:14:15 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id B56A9406A3; Tue, 24 Aug 2021 04:14:14 +0200 (CEST) Received: from inbox.dpdk.org (inbox.dpdk.org [95.142.172.178]) by mails.dpdk.org (Postfix) with ESMTP id 450DE4014D for ; Tue, 24 Aug 2021 04:14:13 +0200 (CEST) Received: by inbox.dpdk.org (Postfix, from userid 33) id 1A29EA0C4D; Tue, 24 Aug 2021 04:14:13 +0200 (CEST) From: bugzilla@dpdk.org To: dev@dpdk.org Date: Tue, 24 Aug 2021 02:14:12 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: DPDK X-Bugzilla-Component: core X-Bugzilla-Version: 21.08 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: zhihongx.peng@intel.com X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: dev@dpdk.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter target_milestone Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://bugs.dpdk.org/ Auto-Submitted: auto-generated X-Auto-Response-Suppress: All MIME-Version: 1.0 Subject: [dpdk-dev] [Bug 792] The dev_uev_parse function has a stack overflow bug. X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" https://bugs.dpdk.org/show_bug.cgi?id=3D792 Bug ID: 792 Summary: The dev_uev_parse function has a stack overflow bug. Product: DPDK Version: 21.08 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: Normal Component: core Assignee: dev@dpdk.org Reporter: zhihongx.peng@intel.com Target Milestone: --- Code: static int dev_uev_parse(const char *buf, struct rte_dev_event *event, int length) { char action[EAL_UEV_MSG_ELEM_LEN]; char subsystem[EAL_UEV_MSG_ELEM_LEN]; char pci_slot_name[EAL_UEV_MSG_ELEM_LEN]; int i =3D 0; memset(action, 0, EAL_UEV_MSG_ELEM_LEN); memset(subsystem, 0, EAL_UEV_MSG_ELEM_LEN); memset(pci_slot_name, 0, EAL_UEV_MSG_ELEM_LEN); while (i < length) { for (; i < length; i++) { if (*buf) break; buf++; } /** * check device uevent from kernel side, no need to check * uevent from udev. */ if (!strncmp(buf, "libudev", 7)) { buf +=3D 7; i +=3D 7; return -1; } if (!strncmp(buf, "ACTION=3D", 7)) { buf +=3D 7; i +=3D 7; strlcpy(action, buf, sizeof(action)); } else if (!strncmp(buf, "SUBSYSTEM=3D", 10)) { buf +=3D 10; i +=3D 10; strlcpy(subsystem, buf, sizeof(subsystem)); } else if (!strncmp(buf, "PCI_SLOT_NAME=3D", 14)) { buf +=3D 14; i +=3D 14; strlcpy(pci_slot_name, buf, sizeof(subsystem)); event->devname =3D strdup(pci_slot_name); } Bug description: Because the minimum length of the buff is not judged, when the length of the buff is less than 7, strncmp will stack buff overflow. --=20 You are receiving this mail because: You are the assignee for the bug.=