diff mbox series

kvargs: fix a heap-buffer-overflow when detect list

Message ID 1584592680-14000-1-git-send-email-wangyunjian@huawei.com (mailing list archive)
State Superseded, archived
Delegated to: David Marchand
Headers
Series kvargs: fix a heap-buffer-overflow when detect list |

Checks

Context Check Description
ci/checkpatch success coding style OK
ci/Intel-compilation success Compilation OK
ci/iol-mellanox-Performance success Performance Testing PASS
ci/iol-testing success Testing PASS
ci/travis-robot warning Travis build: failed

Commit Message

Yunjian Wang March 19, 2020, 4:38 a.m. UTC 
  From: Yunjian Wang <wangyunjian@huawei.com>

When an input params'value is '[', leading to the 'str' over read
or heap-buffer-overflow. So we can check the 'ctx1' length to avoid
this problem.

Fixes: cc0579f2339a ("kvargs: support list value")
Cc: stable@dpdk.org

Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
---
 lib/librte_kvargs/rte_kvargs.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Olivier Matz March 25, 2020, 4:31 p.m. UTC | #1 
Hi,

On Thu, Mar 19, 2020 at 12:38:00PM +0800, wangyunjian wrote:
> From: Yunjian Wang <wangyunjian@huawei.com>
> 
> When an input params'value is '[', leading to the 'str' over read
> or heap-buffer-overflow. So we can check the 'ctx1' length to avoid
> this problem.
> 
> Fixes: cc0579f2339a ("kvargs: support list value")
> Cc: stable@dpdk.org
> 
> Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
> ---
>  lib/librte_kvargs/rte_kvargs.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/lib/librte_kvargs/rte_kvargs.c b/lib/librte_kvargs/rte_kvargs.c
> index d39332999..a1144b90b 100644
> --- a/lib/librte_kvargs/rte_kvargs.c
> +++ b/lib/librte_kvargs/rte_kvargs.c
> @@ -48,7 +48,8 @@ rte_kvargs_tokenize(struct rte_kvargs *kvlist, const char *params)
>  		str = kvlist->pairs[i].value;
>  		if (str[0] == '[') {
>  			/* Find the end of the list. */
> -			while (str[strlen(str) - 1] != ']') {
> +			while ((str[strlen(str) - 1] != ']') &&
> +			       (strlen(ctx1) > 0)) {
>  				/* Restore the comma erased by strtok_r(). */
>  				str[strlen(str)] = ',';
>  				/* Parse until next comma. */

I would prefer to keep the while condition as is, like this:

                                /* Restore the comma erased by strtok_r(). */
+                               if (ctx1[0] == '\0')
+                                       return -1; /* no closing bracket */
                                str[strlen(str)] = ',';

It avoids an uneeded call to strlen(), and ensure we are returning
an error in that case.

I also wanted to add a test case, but I realized that kvargs unit tests
are broken now. I have done 2 patches to fix them.

Do you mind if I send a patchset with these 2 patches + your patch
(keeping your signed-off and doing the modification described above),
to ensure there is no implicit dependency?

Thanks,
Olivier
Yunjian Wang March 26, 2020, 10:01 a.m. UTC | #2 
> -----邮件原件-----
> 发件人: Olivier Matz [mailto:olivier.matz@6wind.com]
> 发送时间: 2020年3月26日 0:32
> 收件人: wangyunjian <wangyunjian@huawei.com>
> 抄送: dev@dpdk.org; Lilijun (Jerry) <jerry.lilijun@huawei.com>; xudingke
> <xudingke@huawei.com>; stable@dpdk.org
> 主题: Re: [dpdk-dev] [PATCH] kvargs: fix a heap-buffer-overflow when detect
> list
> 
> Hi,
> 
> On Thu, Mar 19, 2020 at 12:38:00PM +0800, wangyunjian wrote:
> > From: Yunjian Wang <wangyunjian@huawei.com>
> >
> > When an input params'value is '[', leading to the 'str' over read or
> > heap-buffer-overflow. So we can check the 'ctx1' length to avoid this
> > problem.
> >
> > Fixes: cc0579f2339a ("kvargs: support list value")
> > Cc: stable@dpdk.org
> >
> > Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
> > ---
> >  lib/librte_kvargs/rte_kvargs.c | 3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/lib/librte_kvargs/rte_kvargs.c
> > b/lib/librte_kvargs/rte_kvargs.c index d39332999..a1144b90b 100644
> > --- a/lib/librte_kvargs/rte_kvargs.c
> > +++ b/lib/librte_kvargs/rte_kvargs.c
> > @@ -48,7 +48,8 @@ rte_kvargs_tokenize(struct rte_kvargs *kvlist, const
> char *params)
> >  		str = kvlist->pairs[i].value;
> >  		if (str[0] == '[') {
> >  			/* Find the end of the list. */
> > -			while (str[strlen(str) - 1] != ']') {
> > +			while ((str[strlen(str) - 1] != ']') &&
> > +			       (strlen(ctx1) > 0)) {
> >  				/* Restore the comma erased by strtok_r(). */
> >  				str[strlen(str)] = ',';
> >  				/* Parse until next comma. */
> 
> I would prefer to keep the while condition as is, like this:
> 
>                                 /* Restore the comma erased by
> strtok_r(). */
> +                               if (ctx1[0] == '\0')
> +                                       return -1; /* no closing
> bracket
> + */
>                                 str[strlen(str)] = ',';
> 
> It avoids an uneeded call to strlen(), and ensure we are returning an error in
> that case.
> 
> I also wanted to add a test case, but I realized that kvargs unit tests are broken
> now. I have done 2 patches to fix them.
> 
> Do you mind if I send a patchset with these 2 patches + your patch (keeping
> your signed-off and doing the modification described above), to ensure there is
> no implicit dependency?

No, I don’t mind. I agree with your view.

Thanks
Yunjian
> 
> Thanks,
> Olivier
diff mbox series

Patch

diff --git a/lib/librte_kvargs/rte_kvargs.c b/lib/librte_kvargs/rte_kvargs.c
index d39332999..a1144b90b 100644
--- a/lib/librte_kvargs/rte_kvargs.c
+++ b/lib/librte_kvargs/rte_kvargs.c
@@ -48,7 +48,8 @@  rte_kvargs_tokenize(struct rte_kvargs *kvlist, const char *params)
 		str = kvlist->pairs[i].value;
 		if (str[0] == '[') {
 			/* Find the end of the list. */
-			while (str[strlen(str) - 1] != ']') {
+			while ((str[strlen(str) - 1] != ']') &&
+			       (strlen(ctx1) > 0)) {
 				/* Restore the comma erased by strtok_r(). */
 				str[strlen(str)] = ',';
 				/* Parse until next comma. */