[dpdk-dev] [PATCH] cfgfile: fix integer overflow

[Dumitrescu, Cristian]

> -----Original Message-----
> From: Kobylinski, MichalX
> Sent: Friday, April 22, 2016 11:41 AM
> To: Dumitrescu, Cristian <cristian.dumitrescu at intel.com>; dev at dpdk.org
> Cc: Kobylinski, MichalX <michalx.kobylinski at intel.com>
> Subject: [PATCH] cfgfile: fix integer overflow
> 
> Fix issue reported by Coverity.
> 
> Coverity ID 13289: Integer overflowed argument: The argument will be too
> small or even negative, likely resulting in unexpected behavior (for
> example, under-allocation in a memory allocation function).
> In rte_cfgfile_load: An integer overflow occurs, with the overflowed
> value used as an argument to a function
> 
> Fixes: eaafbad419bf ("cfgfile: library to interpret config files")
> 
> Signed-off-by: Michal Kobylinski <michalx.kobylinski at intel.com>
> ---
>  lib/librte_cfgfile/rte_cfgfile.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/lib/librte_cfgfile/rte_cfgfile.c b/lib/librte_cfgfile/rte_cfgfile.c
> index 75625a2..0a5a279 100644
> --- a/lib/librte_cfgfile/rte_cfgfile.c
> +++ b/lib/librte_cfgfile/rte_cfgfile.c
> @@ -135,7 +135,7 @@ rte_cfgfile_load(const char *filename, int flags)
>  				goto error1;
>  			}
>  			*end = '\0';
> -			_strip(&buffer[1], end - &buffer[1]);
> +			_strip(&buffer[1], (unsigned)(end - &buffer[1]));
> 
>  			/* close off old section and add start new one */
>  			if (curr_section >= 0)
> --
> 1.9.1

I don't understand the root issue here, can you please explain?

It looks to me that "end" is always going to point to a location bigger or equal to &buffer[1]. So the second parameter of _strip function is always going to be a positive number (0 included).