[v2,3/3] kvargs: fix a heap buffer overflow when parsing list
Checks
Commit Message
From: Yunjian Wang <wangyunjian@huawei.com>
When the input string is "key=[", the ending '\0' is replaced
by a ',', leading to a heap buffer overflow.
Check the content of ctx1 to avoid this problem.
Fixes: cc0579f2339a ("kvargs: support list value")
Cc: stable@dpdk.org
Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
Signed-off-by: Olivier Matz <olivier.matz@6wind.com>
---
app/test/test_kvargs.c | 1 +
lib/librte_kvargs/rte_kvargs.c | 2 ++
2 files changed, 3 insertions(+)
@@ -217,6 +217,7 @@ static int test_invalid_kvargs(void)
"foo=1,=2", /* no key */
"foo=[1,2", /* no closing bracket in value */
",=", /* also test with a smiley */
+ "foo=[", /* no value in list and no closing bracket */
NULL };
const char **args;
const char *valid_keys_list[] = { "foo", "check", NULL };
@@ -50,6 +50,8 @@ rte_kvargs_tokenize(struct rte_kvargs *kvlist, const char *params)
/* Find the end of the list. */
while (str[strlen(str) - 1] != ']') {
/* Restore the comma erased by strtok_r(). */
+ if (ctx1[0] == '\0')
+ return -1; /* no closing bracket */
str[strlen(str)] = ',';
/* Parse until next comma. */
str = strtok_r(NULL, RTE_KVARGS_PAIRS_DELIM, &ctx1);