diff mbox

[dpdk-dev] ethdev: fix invalid length write on dev detach

Message ID 1757afd2673591a59ebd69cef7b569d344f20e7c.1501496827.git.gaetan.rivet@6wind.com (mailing list archive)
State Superseded, archived
Headers

Checks

Context Check Description
ci/checkpatch success coding style OK
ci/Intel-compilation success Compilation OK

Commit Message

Gaëtan Rivet July 31, 2017, 10:29 a.m. UTC 
  The name of a device is copied in a provided buffer within
rte_eth_dev_detach(). The current sizeof is done on a pointer instead of
the intended array usually pointed to.

The name field of an rte_device is not assured however to point an
rte_devargs name field. The almost correct length to base this copy over
is thus RTE_DEV_NAME_MAX_LEN.

Almost correct, because unfortunately this function does not allow the
user to pass down a size parameter for the buffer it is meant to write.
This API should be fixed, it is broken by design.

Fixes: a1e7c17555e8 ("ethdev: use device name from device structure")
Cc: Ferruh Yigit <ferruh.yigit@intel.com>

Signed-off-by: Gaetan Rivet <gaetan.rivet@6wind.com>
---
 lib/librte_ether/rte_ethdev.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Thomas Monjalon July 31, 2017, 1:27 p.m. UTC | #1 
31/07/2017 12:29, Gaetan Rivet:
> The name of a device is copied in a provided buffer within
> rte_eth_dev_detach(). The current sizeof is done on a pointer instead of
> the intended array usually pointed to.
> 
> The name field of an rte_device is not assured however to point an
> rte_devargs name field. The almost correct length to base this copy over
> is thus RTE_DEV_NAME_MAX_LEN.
> 
> Almost correct, because unfortunately this function does not allow the
> user to pass down a size parameter for the buffer it is meant to write.
> This API should be fixed, it is broken by design.

Yes we must discuss the future of this API function.

In the meantime, this limitation (size expectation) should be documented
in the doxygen comment. v2 please?
Gaëtan Rivet July 31, 2017, 1:29 p.m. UTC | #2 
On Mon, Jul 31, 2017 at 03:27:29PM +0200, Thomas Monjalon wrote:
> 31/07/2017 12:29, Gaetan Rivet:
> > The name of a device is copied in a provided buffer within
> > rte_eth_dev_detach(). The current sizeof is done on a pointer instead of
> > the intended array usually pointed to.
> > 
> > The name field of an rte_device is not assured however to point an
> > rte_devargs name field. The almost correct length to base this copy over
> > is thus RTE_DEV_NAME_MAX_LEN.
> > 
> > Almost correct, because unfortunately this function does not allow the
> > user to pass down a size parameter for the buffer it is meant to write.
> > This API should be fixed, it is broken by design.
> 
> Yes we must discuss the future of this API function.
> 
> In the meantime, this limitation (size expectation) should be documented
> in the doxygen comment. v2 please?
> 

Sure
diff mbox

Patch

diff --git a/lib/librte_ether/rte_ethdev.c b/lib/librte_ether/rte_ethdev.c
index 805ef63..0597641 100644
--- a/lib/librte_ether/rte_ethdev.c
+++ b/lib/librte_ether/rte_ethdev.c
@@ -436,8 +436,8 @@  rte_eth_dev_detach(uint8_t port_id, char *name)
 	if (rte_eth_dev_is_detachable(port_id))
 		goto err;
 
-	snprintf(name, sizeof(rte_eth_devices[port_id].device->name),
-		 "%s", rte_eth_devices[port_id].device->name);
+	snprintf(name, RTE_DEV_NAME_MAX_LEN, "%s",
+		 rte_eth_devices[port_id].device->name);
 
 	ret = rte_eal_dev_detach(rte_eth_devices[port_id].device);
 	if (ret < 0)