[dpdk-dev] [PATCH] ethdev: fix invalid length write on dev detach
Gaetan Rivet
gaetan.rivet at 6wind.com
Mon Jul 31 12:29:02 CEST 2017
The name of a device is copied in a provided buffer within
rte_eth_dev_detach(). The current sizeof is done on a pointer instead of
the intended array usually pointed to.
The name field of an rte_device is not assured however to point an
rte_devargs name field. The almost correct length to base this copy over
is thus RTE_DEV_NAME_MAX_LEN.
Almost correct, because unfortunately this function does not allow the
user to pass down a size parameter for the buffer it is meant to write.
This API should be fixed, it is broken by design.
Fixes: a1e7c17555e8 ("ethdev: use device name from device structure")
Cc: Ferruh Yigit <ferruh.yigit at intel.com>
Signed-off-by: Gaetan Rivet <gaetan.rivet at 6wind.com>
---
lib/librte_ether/rte_ethdev.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/librte_ether/rte_ethdev.c b/lib/librte_ether/rte_ethdev.c
index 805ef63..0597641 100644
--- a/lib/librte_ether/rte_ethdev.c
+++ b/lib/librte_ether/rte_ethdev.c
@@ -436,8 +436,8 @@ rte_eth_dev_detach(uint8_t port_id, char *name)
if (rte_eth_dev_is_detachable(port_id))
goto err;
- snprintf(name, sizeof(rte_eth_devices[port_id].device->name),
- "%s", rte_eth_devices[port_id].device->name);
+ snprintf(name, RTE_DEV_NAME_MAX_LEN, "%s",
+ rte_eth_devices[port_id].device->name);
ret = rte_eal_dev_detach(rte_eth_devices[port_id].device);
if (ret < 0)
--
2.1.4
More information about the dev
mailing list