From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-bounces@dpdk.org>
Received: from dpdk.org (dpdk.org [92.243.14.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 0796DA0093
	for <public@inbox.dpdk.org>; Thu, 28 May 2020 18:24:59 +0200 (CEST)
Received: from [92.243.14.124] (localhost [127.0.0.1])
	by dpdk.org (Postfix) with ESMTP id F2A451D996;
	Thu, 28 May 2020 18:24:58 +0200 (CEST)
Received: from us-smtp-delivery-1.mimecast.com (us-smtp-1.mimecast.com
 [205.139.110.61]) by dpdk.org (Postfix) with ESMTP id C1FF31DC18
 for <stable@dpdk.org>; Thu, 28 May 2020 18:24:57 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1590683097;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=c6FacDIFrtfRXO5nxVJoTHSYMJy+rpGdAjjotVmaz4s=;
 b=gPSCzwYIBTh2qWo9Rqhp9i3iEtqq2Cf9FD4/ZAujNyUr+aChDOvIGA+IFwbc1grjNSMQ4F
 XRLv8ui8lhqH41dRrZwlSn/IlwJH5jR1++m4E1N1EOpe2MqBQ60IZ8V05LZhBt6OjtNpFh
 vri1PTYhVrA+VlacHXT56WEOQcRpgB8=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-104-JAQASwJkMGKwB5TlI3gXlA-1; Thu, 28 May 2020 12:24:53 -0400
X-MC-Unique: JAQASwJkMGKwB5TlI3gXlA-1
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com
 [10.5.11.12])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 7E331EC1A7;
 Thu, 28 May 2020 16:24:52 +0000 (UTC)
Received: from rh.redhat.com (unknown [10.33.36.235])
 by smtp.corp.redhat.com (Postfix) with ESMTP id 6E64D60E1C;
 Thu, 28 May 2020 16:24:51 +0000 (UTC)
From: Kevin Traynor <ktraynor@redhat.com>
To: Yunjian Wang <wangyunjian@huawei.com>
Cc: Olivier Matz <olivier.matz@6wind.com>,
 David Marchand <david.marchand@redhat.com>, dpdk stable <stable@dpdk.org>
Date: Thu, 28 May 2020 17:22:13 +0100
Message-Id: <20200528162322.7863-26-ktraynor@redhat.com>
In-Reply-To: <20200528162322.7863-1-ktraynor@redhat.com>
References: <20200528162322.7863-1-ktraynor@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit
Subject: [dpdk-stable] patch 'kvargs: fix buffer overflow when parsing list'
	has been queued to LTS release 18.11.9
X-BeenThere: stable@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: patches for DPDK stable branches <stable.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/stable>,
 <mailto:stable-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/stable/>
List-Post: <mailto:stable@dpdk.org>
List-Help: <mailto:stable-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/stable>,
 <mailto:stable-request@dpdk.org?subject=subscribe>
Errors-To: stable-bounces@dpdk.org
Sender: "stable" <stable-bounces@dpdk.org>

Hi,

FYI, your patch has been queued to LTS release 18.11.9

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 06/03/20. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/kevintraynor/dpdk-stable-queue

This queued commit can be viewed at:
https://github.com/kevintraynor/dpdk-stable-queue/commit/a27225ff8f76afc7a2ee1b3710eb8fef5189efe5

Thanks.

Kevin.

---
>From a27225ff8f76afc7a2ee1b3710eb8fef5189efe5 Mon Sep 17 00:00:00 2001
From: Yunjian Wang <wangyunjian@huawei.com>
Date: Fri, 27 Mar 2020 09:09:55 +0100
Subject: [PATCH] kvargs: fix buffer overflow when parsing list

[ upstream commit ffcf831454a93c1da54299d4066dd03de6712a9b ]

When the input string is "key=[", the ending '\0' is replaced
by a ',', leading to a heap buffer overflow.

Check the content of ctx1 to avoid this problem.

Fixes: cc0579f2339a ("kvargs: support list value")

Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
Signed-off-by: Olivier Matz <olivier.matz@6wind.com>
Reviewed-by: David Marchand <david.marchand@redhat.com>
---
 lib/librte_kvargs/rte_kvargs.c | 2 ++
 test/test/test_kvargs.c        | 1 +
 2 files changed, 3 insertions(+)

diff --git a/lib/librte_kvargs/rte_kvargs.c b/lib/librte_kvargs/rte_kvargs.c
index f7030c63b7..a8a5cb50b9 100644
--- a/lib/librte_kvargs/rte_kvargs.c
+++ b/lib/librte_kvargs/rte_kvargs.c
@@ -51,4 +51,6 @@ rte_kvargs_tokenize(struct rte_kvargs *kvlist, const char *params)
 			while (str[strlen(str) - 1] != ']') {
 				/* Restore the comma erased by strtok_r(). */
+				if (ctx1[0] == '\0')
+					return -1; /* no closing bracket */
 				str[strlen(str)] = ',';
 				/* Parse until next comma. */
diff --git a/test/test/test_kvargs.c b/test/test/test_kvargs.c
index f823b771fb..2a2dae43a0 100644
--- a/test/test/test_kvargs.c
+++ b/test/test/test_kvargs.c
@@ -218,4 +218,5 @@ static int test_invalid_kvargs(void)
 		"foo=[1,2",        /* no closing bracket in value */
 		",=",              /* also test with a smiley */
+		"foo=[",           /* no value in list and no closing bracket */
 		NULL };
 	const char **args;
-- 
2.21.3

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2020-05-28 17:13:00.521662253 +0100
+++ 0026-kvargs-fix-buffer-overflow-when-parsing-list.patch	2020-05-28 17:12:59.086556740 +0100
@@ -1 +1 @@
-From ffcf831454a93c1da54299d4066dd03de6712a9b Mon Sep 17 00:00:00 2001
+From a27225ff8f76afc7a2ee1b3710eb8fef5189efe5 Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit ffcf831454a93c1da54299d4066dd03de6712a9b ]
+
@@ -12 +13,0 @@
-Cc: stable@dpdk.org
@@ -18 +18,0 @@
- app/test/test_kvargs.c         | 1 +
@@ -19,0 +20 @@
+ test/test/test_kvargs.c        | 1 +
@@ -22,10 +22,0 @@
-diff --git a/app/test/test_kvargs.c b/app/test/test_kvargs.c
-index f823b771fb..2a2dae43a0 100644
---- a/app/test/test_kvargs.c
-+++ b/app/test/test_kvargs.c
-@@ -218,4 +218,5 @@ static int test_invalid_kvargs(void)
- 		"foo=[1,2",        /* no closing bracket in value */
- 		",=",              /* also test with a smiley */
-+		"foo=[",           /* no value in list and no closing bracket */
- 		NULL };
- 	const char **args;
@@ -33 +24 @@
-index d39332999e..1d815dcd96 100644
+index f7030c63b7..a8a5cb50b9 100644
@@ -42,0 +34,10 @@
+diff --git a/test/test/test_kvargs.c b/test/test/test_kvargs.c
+index f823b771fb..2a2dae43a0 100644
+--- a/test/test/test_kvargs.c
++++ b/test/test/test_kvargs.c
+@@ -218,4 +218,5 @@ static int test_invalid_kvargs(void)
+ 		"foo=[1,2",        /* no closing bracket in value */
+ 		",=",              /* also test with a smiley */
++		"foo=[",           /* no value in list and no closing bracket */
+ 		NULL };
+ 	const char **args;